Core Contracts

Summary

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/boost/BoostController.sol#L242

The system relies on the recipient of a delegation to call removeBoostDelegation to clean up expired delegations by deleting the entry from userBoosts. If the recipient fails to call this function—whether due to inactivity, negligence or malicious intent, the expired delegation persists in storage. As a result, the getWorkingBalance and getUserBoost functions return incorrect values leading to inaccurate data retrieval, misleading metrics and potential misuse by external systems or users relying on these functions.

Vulnerability Details

When a delegation expires, it is not automatically removed from the userBoosts mapping. Instead, removal relies on the recipient explicitly calling removeBoostDelegation.

If the recipient never calls the function, the expired delegation remains in userBoosts causing stale data to persist indefinitely.
The getWorkingBalance function retrieves the amount field from userBoosts without checking if the delegation has expired.
similarly, the getUserBoost function retrieves all fields (amount, expiry, delegatedTo, lastUpdateTime) from userBoosts without checking if the delegation has expired.

If a delegation has expired but has not been removed, the functions will return incorrect values

Impact

The getWorkingBalance and getUserBoost functions may return an incorrect values for expired delegations leading to misleading metrics and incorrect calculations for rewards

Tools Used

Manual code review

Recommendations

Modify getWorkingBalance and getUserBoost functions to return zero or default values for expired delegations ensuring accurate data retrieval.