Core Contracts

Summary

The getUserWeight(...) function, which determines the number of rewards a user earns in the earned(...) function within the Gauge contract, does not properly check if the user actually voted for the gauge. Instead, it calculates rewards based on the total gauge weight, allowing users to claim rewards from gauges they never supported.

Vulnerability Details

Current Implementation

Why This Is a Problem

• The function retrieves the total weight of the gauge from IGaugeController, but does not check if the user actually voted for that gauge.

• The account parameter is never used, meaning every user sees the same gauge weight regardless of whether they voted or not.

• As a result, any user can claim rewards from any gauge, even if they did not vote for it.

Exploit Scenario

1. A gauge accumulates rewards based on its assigned weight in GaugeController.

2. A user who never voted for the gauge calls earned(...), which relies on getUserWeight(...).

3. Since getUserWeight(...) returns the total gauge weight instead of the user's actual weight, the user wrongfully claims a share of the rewards.

4. The reward pool is drained unfairly, reducing incentives for legitimate voters.

Impact

• Users can claim rewards from gauges they never voted for, unfairly distributing emissions.

• Legitimate users receive fewer rewards, since others are claiming a share without participating.

• The reward system is broken, as it fails to correctly allocate emissions based on actual votes.

Tools Used

N/A

Recommendations

• Modify getUserWeight(...) to consider only the weight the user actually voted for the gauge.

• Reference userGaugeVotes[msg.sender][gauge] (or a similar mapping) to properly track individual voting weights.

• Ensure reward calculations use individual voting weights rather than total gauge weight to maintain fairness.