wrong initialization of boostState.minBoost in constructor::BaseGauge.sol could lead to potential underflow in calculateBoost due to boostRange calculation
Summary
The calculateBoost function computes a boost multiplier based on a user’s veBalance relative to totalVeSupply, scaling between params.minBoost and params.maxBoost. The calculation boostRange = params.maxBoost - params.minBoost assumes maxBoost >= minBoost. However, the constructor initializes boostState.maxBoost = 25000 (2.5x in basis points) and boostState.minBoost = 1e18 (1 quintillion), where minBoost vastly exceeds maxBoost. Additionally, setBoostParameters allows the controller to set these values arbitrarily without enforcing maxBoost >= minBoost. In Solidity <0.8.0 (or unchecked arithmetic in ≥0.8.0), subtracting a larger minBoost from a smaller maxBoost causes an underflow, reverting the transaction and breaking boost calculations.
calculateBoost
Root Cause
-
Initialization Mismatch:
Constructor sets maxBoost = 25000 (25,000 basis points, 2.5x) and minBoost = 1e18 (1 quintillion), where minBoost > maxBoost by a massive margin (1e18 >> 25,000).
Likely a typo: minBoost might have intended 10000 (1x in basis points), but 1e18 is a common precision unit, misapplied here.
-
Underflow in Calculation: In Solidity <0.8.0, maxBoost - minBoost underflows if minBoost > maxBoost (e.g., 25000 - 1e18 wraps to a huge number), reverting the transaction. In ≥0.8.0, it reverts explicitly
Impact
Function Reverts: With minBoost = 1e18 and maxBoost = 25000, boostRange = 25000 - 1e18 underflows, causing calculateBoost to revert ( Solidity ≥0.8.0). A low severity as setBoostParameters::BaseGauge.solcan change the value to 10000
Tools Used
Manual
Recommendations
Lead Judging Commences
boostState.minBoost is set to 1e18
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.