Core Contracts

Summary

The removeBoostDelegation function incorrectly decreases poolBoost.totalBoost and poolBoost.workingSupply when a delegation is removed, even though delegateBoost does not modify these values initially. This leads to an artificial reduction in pool boost metrics, which impacts reward calculations.

Vulnerability Details

• In delegateBoost, when a user delegates their boost, poolBoost.totalBoost and poolBoost.workingSupply remain unchanged (correct behavior).

• However, in removeBoostDelegation, the delegated amount is subtracted from these pool-wide metrics:

  if (poolBoost.totalBoost >= delegation.amount) {

  poolBoost.totalBoost -= delegation.amount; // @issue: Should not modify totalBoost

  }

  if (poolBoost.workingSupply >= delegation.amount) {

  poolBoost.workingSupply -= delegation.amount;

  }

• Since delegation does not increase these values initially, subtracting the amount upon removal leads to an incorrect deflation of pool-wide boost values.

Code References

Correct Behavior (Delegation Does Not Modify Pool Boost)

Incorrect Behavior (Delegation Removal Modifies Pool Boost)

Impact

• Artificial Reduction of Pool Boost:

  • The total boost available to the pool is incorrectly reduced when delegation is removed.

  • This can lead to inaccurate reward calculations, as the pool appears to have less boost than it actually does.

• Potential Exploit Scenarios:

  • Attackers could repeatedly delegate and remove delegations to artificially suppress the pool's total boost, potentially impacting reward distributions.

Tools Used

Manual Review

Recommendations

Consider removing the incorrect Pool Boost Modifications