Submission Details
Severity:
No limit on amount of boost delegations
Summary
In the BoostController contract when delegating boost, there is no limit on how many addresses a user can delegate their boost to. This means that using the same veRAACToken balance a user can delegate the same amount to as many addresses as they want.
Vulnerability Details
PoC. This test can be added to the "Delegation System" section of the BoostController.test.js file:
it("should allow any amount of delegations", async () => {
const amount = ethers.parseEther("500");
const duration = 7 * 24 * 3600;
for (let i = 0; i < 10; i++) {
let wallet = ethers.Wallet.createRandom();
await expect(boostController.connect(user1).delegateBoost(wallet.address, amount, duration))
.to.not.be.reverted;
}
});
Impact
Depending on future boost implementations this can drain boost rewards.
Tools Used
Manual review
Recommendations
Add a mapping to track when a user has already delegated and add a revert condition for it in the delegateBoost function.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
BoostController::delegateBoost lacks total delegation tracking, allowing users to delegate the same veTokens multiple times to different pools for amplified influence and rewards
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.