`BaseGauge::_getBaseWeight` function returns the total weight of the corresponding gauge, which will result in full DoS of the reward calculation
Summary
This is due to the fact that instead of the weight a user putted into the corresponding gauge, the BaseGauge::_getBaseWeight function returns the total weight of the gauge, resulting in miscalculation of rewards
Vulnerability Details
When the BaseGauge::getUserWeight function is called, first thing done is to call BaseGauge::_getBaseWeight as seen here:
The function aims to get the weight that a user voted to the gauge with and then apply boost to it. The problem here is that the _getBaseWeight function returns the total weight of the gauge, leading to users accumulating such rewards that the protocol will never be able to pay off.
Impact
users will accumulating such rewards that the protocol will never be able to pay off. By doing it like this, users that have not voted for this gauge are able to receive rewards by simply staking 1 wei worth of stakeToken to the gauge
Tools Used
Manual review
Recommendations
Make the _getBaseWeight return the GaugeController::userGaugeVotes mapping. This will prevent rewards from DoS and will keep users that haven't voted for the gauge unable to receive rewards
Lead Judging Commences
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.