Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Pool Working Supply Incorrectly Set to Single User's Boost Value

waydou

Summary

In the BoostController contract, updateUserBoost function incorrectly sets the pool's entire workingSupply to a single user's boost value, effectively erasing all other users' contributions to the pool's working supply.

Vulnerability Details

The updateUserBoost function updates both individual user boost and pool-wide metrics. However, it incorrectly sets the pool's workingSupply to just the latest user's boost value:

// Updates total boost correctly
if (newBoost >= oldBoost) {
poolBoost.totalBoost = poolBoost.totalBoost + (newBoost - oldBoost);
} else {
poolBoost.totalBoost = poolBoost.totalBoost - (oldBoost - newBoost);
}
// Incorrectly overwrites entire working supply
poolBoost.workingSupply = newBoost; // @audit Sets entire pool supply to one user's boost

This means each time any user updates their boost, the pool's entire working supply is overwritten with that user's boost and all other users' contributions to working supply are lost

Impact

Pool's working supply only reflects the last user who updated their boost and all other users' contributions are erased. The workingsupply is also used in other parts of the code such as the removeBoostDelegation, this will disrupt the pool economics and reward distribution

Tools Used

Manual Review

Recommendations

The working supply should be updated incrementally like totalBoost.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::getBoostMultiplier always returns MAX_BOOST for any non-zero boost due to mathematical calculation error, defeating the incentive mechanism

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.