Logical Error in getBoostMultiplier::BoostController.sol Always Returns MAX_BOOST if userBoost.amount != 0
Summary
getBoostMultiplier intended to calculate a user’s boost multiplier for a specific pool in basis points (where 10,000 basis points = 100%), contains a logical error in its calculation. When userBoost.amount != 0, it computes
baseAmount = userBoost.amount * 10000 / MAX_BOOST
and
returns userBoost.amount * 10000 / baseAmount
Due to integer arithmetic, this simplifies to MAX_BOOST (typically 25,000 basis points or 2.5x), regardless of userBoost.amount or other factors. This undermines the function’s purpose of providing a variable boost multiplier, effectively making it constant when a boost exists.
Vulnerability Details
Impact
Incorrect evaluation of gettBoostMultiplier, misinformation
Tools Used
manual review
Recommendations
Scale boost based on userBoost.amount relative to a pool’s total boost or a fixed threshold
Lead Judging Commences
BoostController::getBoostMultiplier always returns MAX_BOOST for any non-zero boost due to mathematical calculation error, defeating the incentive mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.