Core Contracts

Summary

The function GaugeController::_updateGaugeWeight is vulnerable to an underflow issue. A user can manipulate the gauge weight calculations, leading to unexpected behavior or breaking the contract logic.

Vulnerability Details

An underflow occurs in the function GaugeController::_updateGaugeWeight. Below is a proof of concept:

1. A new gauge is created with an initial weight:

   g.weight = initialWeight = 1;

2. The first user calls GaugeController::vote with votingPower = 4000 and weight = 6000. Execution proceeds to _updateGaugeWeight:

   newGaugeWeight = oldGaugeWeight(1) - (oldWeight(0) * votingPower / WEIGHT_PRECISION)(0)

   + (newWeight(6000) * votingPower(4000) / WEIGHT_PRECISION(10000));

   newGaugeWeight = 2400;

   g.weight = newGaugeWeight = 2400;

3. The user's voting power increases, and they attempt to reset the weight to 0 by calling GaugeController::vote with votingPower = 5000 and weight = 0:

   newGaugeWeight = oldGaugeWeight(2400) - (oldWeight(6000) * votingPower(5000) / WEIGHT_PRECISION(10000))

   + (newWeight(0) * votingPower(5000) / WEIGHT_PRECISION(10000));

   newGaugeWeight = 2400 - 3000; // @audit Underflow occurs here

Root Cause

• The subtraction operation leads to an underflow because 2400 - 3000 results in a negative number, which Solidity does not support in unsigned integers.

Impact

• User will not be able to revoke the votes.

• Many case it will be DOS.

Tools Used

• Manual code review

Recommendations

• Implement proper bounds checks before performing subtraction.