Incorrect minBoost parameter in BaseGauge contract
Summary
The BaseGauge contract is an abstract contract that is implemented in RWAGauge and RAACGauge. The issue arises when the BaseGauge contract initializes the boostState.minBoost parameter incorrectly.
Vulnerability Details
The boostState struct is responsible for boost calculations. It appears that both boostState.maxBoost and boostState.minBoost are expected to be in BASIS_POINT. However, while boostState.maxBoost is correctly set to 25000 (representing a 2.5x boost), boostState.minBoost is mistakenly set to 1e18, which is significantly higher than maxBoost. Ideally, minBoost should be below 10000, which aligns with BASIS_POINT.
The incorrect minBoost value directly impacts the reward update mechanism for users. The minBoost value is used in _applyBoost() to calculate the boost factor. This function is then called in getUserWeight(), which is further used in earn(), and ultimately affects _updateReward(), the function responsible for updating user rewards.
Because of this issue, users may experience incorrect or unfair reward calculations until the minBoost parameter is corrected.
While minBoost can be updated using setBoostParameters(), the incorrect initial value can cause significant problems until it is manually corrected.
Impact
Incorrect minBoost will lead to inaccurate reward distribution.
Tools Used
VS Code
Recommendations
Ensure that minBoost is set to a within the expected range (ideally below 10000).
Lead Judging Commences
boostState.minBoost is set to 1e18
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.