Submission Details
Severity:
removeBoostDelegation() Uses Wrong Address and Fails to Reduce Pool Power
Relevant GitHub Links
Summary
removeBoostDelegation() uses incorrect msg.sender address to access pool (it uses msg.sender address instead of pool address) and then fails to subtract power due to a non-zero check against uninitialized mapping.
Vulnerability Details
// 1. Uses msg.sender instead of pool address
PoolBoost storage poolBoost = poolBoosts[msg.sender];
// 2. Check prevents power reduction since poolBoost.totalBoost is always 0
if (poolBoost.totalBoost >= delegation.amount) {
poolBoost.totalBoost -= delegation.amount;
}
// Same here
if (poolBoost.workingSupply >= delegation.amount) {
poolBoost.workingSupply -= delegation.amount;
Impact
Pool power and working supply accounting remains inflated after delegations are removed
Results in incorrect boost calculations and reward distribution
Tools Used
Manual Review
Recommendations
Use correct pool address and remove unnecessary checks:
PoolBoost storage poolBoost = poolBoosts[pool]; // Use correct pool address
poolBoost.totalBoost -= delegation.amount;
poolBoost.workingSupply -= delegation.amount;
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
BoostController removes pool boost on delegation removal without adding it on delegation creation, leading to accounting inconsistencies and potential underflows
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
BoostController removes pool boost on delegation removal without adding it on delegation creation, leading to accounting inconsistencies and potential underflows
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.