Core Contracts

Summary

The function GaugeController::_updateGaugeWeight in the GaugeController contract incorrectly handles precision mismatches between different variables, breaking the intended invariant that Gauge.weight and Period.weight should operate with WEIGHT_PRECISION (1e6 decimal precision). This can result in incorrect token distribution and potential transaction failures.

Vulnerability Details

In the GaugeController contract, the variables Gauge.weight and Period.weight are designed to work with WEIGHT_PRECISION (1e6 precision). This is consistent with test files where Gauge.weight is assigned values using 1e6 decimals. However, this invariant is broken in the function GaugeController::_updateGaugeWeight.

The new gauge weight is calculated as:

During the first initialization, it simplifies to:

Precision Mismatch

• newWeight has 1e6 precision (aligned with WEIGHT_PRECISION).

• votingPower has 1e18 precision (as it represents the balance of ve tokens, which have 1e18 decimal precision).

• WEIGHT_PRECISION is 1e6, used as a divisor.

As a result, the computed newGaugeWeight will have 1e18 precision instead of 1e6, leading to:

1. Incorrect token distribution due to an unintended scale increase.

2. Potential overflow or rounding issues in weight calculations.

3. Failure in transactions that depend on correct weight values.

Impact

• The miscalculated gauge weight can distort token distribution across gauges.

• Unexpected weight values may lead to failed transactions.

• A user might manipulate gauge weights unfairly, affecting governance mechanisms.

Tools Used

• Manual code review

Recommendations

• Ensure all weight-related calculations adhere to the WEIGHT_PRECISION (1e6) standard.