Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

`BoostController` advertises a boost delegation mechanism that is both unused and flawed

Coverage

Description

The BoostController contract implements a delegation mechanism, to allow users to delegate their voting power to pools/users as stated in the BoostController.md#features:

Features:

  • Boost delegation system

However, the boost delegation mechanism is both flawed and incomplete. While the BoostController::delegateBoost() function allows users to delegate their veRAAC balance, these delegations are never considered in boost calculations or any other contract functionality. Also, the existing code for the delegation mechanism allows for users to delegate veRAAC to themselves as well as to other users/pools infinitely. Which is not the intended behavior as stated in the BoostController.md#usage-notes:

Features:

  • Delegations require sufficient veRAAC balance

Context

Impact

High. The delegation mechanism's incomplete implementation and lack of usage misleads users about a core advertised feature of the protocol.

Likelihood

High. The issue will occur every time the delegation mechanism is used in the current implementation and will affect any user attempting to utilize it, by simply not having any affect on the users and pools voting power.

Proof of Concept

To execute this proof of concept integrate foundry by running the following commands in your terminal, in the project's root directory:

# Create required directories
mkdir out lib
# Add `forge-std` module to `lib`
git submodule add https://github.com/foundry-rs/forge-std lib/forge-std
# Create foundry.toml
touch foundry.toml

Next, configure foundry by adding the following settings to foundry.toml:

[profile.default]
src = "contracts"
out = "out"
lib = "lib"

After that, create a foundry/ directory inside the test/ directory. Inside foundry/, create the following file:

  • BoostModule.t.sol

And then paste the following code to BoostModule.t.sol:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;
import {Test, console} from "../../lib/forge-std/src/Test.sol";
import {RAACToken} from "../../contracts/core/tokens/RAACToken.sol";
import {veRAACToken} from "../../contracts/core/tokens/veRAACToken.sol";
import {BoostController} from "../../contracts/core/governance/boost/BoostController.sol";
contract BoostModuleTest is Test {
address public immutable OWNER = makeAddr("owner");
address public immutable TIMELOCK = makeAddr("timelock");
address public immutable USER = makeAddr("user");
address public immutable POOL_1 = makeAddr("pool-1");
address public immutable POOL_2 = makeAddr("pool-2");
RAACToken public raac;
veRAACToken public veRaac;
BoostController public boostController;
function setUp() public {
vm.startPrank(OWNER);
raac = new RAACToken(TIMELOCK, 0, 0);
veRaac = new veRAACToken(address(this));
boostController = new BoostController(address(veRaac));
vm.stopPrank();
}
function test_poc_delegate_voting_power_infenitely() public {
deal(address(veRaac), USER, 1000e18);
// The user can delegate it's token to two different pools
// Tokens can be delegated infinitely to any address.
vm.startPrank(USER);
boostController.delegateBoost(POOL_1, 1000e18, 182 days);
boostController.delegateBoost(POOL_2, 1000e18, 182 days);
vm.stopPrank();
}
}

And finally, run the proof of concept with the following command:

forge test --mt test_poc_delegate_voting_power_infenitely -vvv
Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::delegateBoost lacks total delegation tracking, allowing users to delegate the same veTokens multiple times to different pools for amplified influence and rewards

BoostController's delegation system fundamentally broken due to missing pool associations, treating recipient addresses as pools and never properly updating pool boost metrics

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.