Incorrect Time-Weighted Reward Calculation Due to Overlapping Distribution Periods
Summary
The BoostController contract contains a critical vulnerability in its working supply calculation that overwrites the pool's total working supply with individual user boost values instead of accumulating them. This flaw leads to incorrect reward distributions by disregarding historical boost contributions.
Vulnerability Details
In the updateUserBoost function, the working supply is erroneously set to a single user's boost amount:
Technical Analysis
Error Type: State mutation error (overwrite vs accumulation)
Affected Component: Pool reward distribution mechanism
Trigger Condition: Any user boost update after initial pool activity
Attack Vector: Front-running boost updates before reward distributions
Impact
-
Critical Severity:
Last updated user receives 100% of pool rewards
Other participants get 0 rewards regardless of actual contributions
-
Protocol Impact:
Complete breakdown of reward distribution fairness
Enables trivial fund drainage attacks
Makes pool participation financially nonviable
Tools Used
Manual Review
Recommendations
Immediate Fix
Lead Judging Commences
BoostController::updateUserBoost overwrites workingSupply with single user's boost value instead of accumulating, breaking reward multipliers and allowing last updater to capture all benefits
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.