Core Contracts

Summary

the _updateBoostState function incorrectly assigns an individual user’s voting power to a global state variable, leading to erroneous boost calculations. This misassignment affects the denominator in boost computations, potentially skewing reward distributions and undermining the integrity of governance voting power.

Vulnerability Details

In the _updateBoostState function, the contract updates several state variables related to boost calculations. While the overall intention appears to be tracking system-wide metrics for boost computations

Here, the contract fetches the voting power of the specific user calling the function rather than aggregating the voting power of all users. As a result, _boostState.votingPower reflects only the individual’s power rather than the system-wide total. In contrast, _boostState.totalVotingPower is correctly set using totalSupply(), which implies a global perspective. This discrepancy means that subsequent boost calculations that rely on _boostState.votingPower are using an incorrect denominator, leading to miscalculation of boost multipliers.

Impact

The boost multiplier, which is crucial for determining rewards, will be computed based on an incorrect denominator. This can lead to either inflated or deflated boost values.

Tools Used

Manual Review

Recommendations

Remove or refactor the line that sets _boostState.votingPower using the individual user's voting power. Instead, use a system-wide metric—such as the total supply of veRAAC tokens or an aggregate calculation of all users' voting power—to ensure that boost calculations are based on the correct global denominator.