Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Self-Delegation and Missing Boost Reduction Vulnerabilities in delegateBoost Function

emmac002

Summary

The delegateBoost function in the smart contract allows users to delegate their boost to another address. However, the contract contains two vulnerabilities:

  1. Users can delegate boost to themselves, effectively "doubling" their boost without increasing their actual token holdings.

  2. The contract does not reduce the msg.sender’s boost after delegation, allowing users to retain their original boost and gain an additional boost through delegation. This leads to an unfair increase in boost.

Vulnerability Details

1 - Self-Delegation Vulnerability:
The delegateBoost function allows users to delegate boost power to another address, but it does not prevent users from delegating boost to themselves. The relevant code section is:
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/governance/boost/BoostController.sol#L212-L234

function delegateBoost(
address to,
uint256 amount,
uint256 duration
) external override nonReentrant {
if (paused()) revert EmergencyPaused();
if (to == address(0)) revert InvalidPool();
if (amount == 0) revert InvalidBoostAmount();
if (duration < MIN_DELEGATION_DURATION || duration > MAX_DELEGATION_DURATION)
revert InvalidDelegationDuration();
uint256 userBalance = IERC20(address(veToken)).balanceOf(msg.sender);
if (userBalance < amount) revert InsufficientVeBalance();
UserBoost storage delegation = userBoosts[msg.sender][to];
if (delegation.amount > 0) revert BoostAlreadyDelegated();
delegation.amount = amount;
delegation.expiry = block.timestamp + duration;
delegation.delegatedTo = to;
delegation.lastUpdateTime = block.timestamp;
emit BoostDelegated(msg.sender, to, amount, duration);

There is no validation to prevent the msg.sender from being the same as the to address. As a result, users can delegate boost to themselves, effectively increasing their boost power without increasing their actual token holdings.

2 - Missing Boost Reduction:
The contract does not correctly reduce the msg.sender's boost after the delegation occurs. The relevant logic is missing, and as a result, users can delegate boost to others without it being subtracted from their own balance. This leads to users having more boost than they should. This can result in users gaining excessive boost without giving up any of their own, leading to a double-boost effect.

Impact

Double Boost: Users can effectively double their boost by delegating to themselves.

Excessive Boost: Due to the missing boost reduction, users can retain their original boost in addition to any delegated boost, further inflating their boost.

Tools Used

Manual code review

Recommended Mitigation

Add a check to prevent the msg.sender from delegating boost to themselves by checking if to == msg.sender and reverting if true:

1 - Prevent Self-Delegation:

if (to == msg.sender) revert CannotDelegateToSelf();

2 - Ensure Boost Reduction After Delegation:
When boost is delegated, ensure that the corresponding amount is subtracted from the sender’s own boost. Modify the logic to reduce the sender’s boost when delegation occurs.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::delegateBoost lacks total delegation tracking, allowing users to delegate the same veTokens multiple times to different pools for amplified influence and rewards

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.