Summary

A medium-severity vulnerability was identified in the BoostController contract, where pool-wide boost aggregation was incorrectly implemented. Specifically, the workingSupply value in the updateUserBoost function was overwritten instead of accumulated, leading to incorrect reward calculations and potential manipulation of boost allocations.

If exploited, users could game the boost system by strategically updating their boosts, resulting in unfair distribution of staking rewards and incorrect protocol emissions.

Vulnerability Details

Issue: Incorrect Boost Aggregation

• Location: updateUserBoost function

• Problem:

  • The contract overwrites poolBoost.workingSupply with the latest boost value instead of aggregating boosts from all users.

  • This results in only the last user’s boost being counted toward workingSupply, instead of maintaining a cumulative value.

  • If users update their boosts in a strategic order, they could manipulate the final pool boost value to their advantage.

Code Affected (Before Fix)

poolBoost.workingSupply = newBoost; // Overwrites instead of aggregating

Potential Exploit Scenario

1. A high-voting-power user updates first, setting a high workingSupply.

2. Other users update their boosts afterward, overwriting rather than adding to the total supply.

3. The total pool boost value becomes lower than expected, leading to incorrect emission rates and unfair distribution of staking rewards.

This misalignment in reward allocations can lead to economic loss for users who should be receiving higher rewards and systematic advantages for users who exploit this behavior.

Impact

Severity: Medium

Likelihood: Medium

• Incorrect reward allocations: Users may receive higher or lower rewards than intended.

• Potential manipulation: Users can strategically update their boosts to gain an unfair advantage.

• Economic misalignment: Protocol emissions and staking rewards become distorted, reducing fairness in the system.

• Reputation risk: Incorrect reward distributions could damage the protocol's credibility among users and investors.

Tools Used

Manual Code Review – Identified improper workingSupply aggregation logic.

Recommendations

Fix workingSupply Aggregation

• Replace workingSupply = newBoost; with correct accumulation logic:

Fixed Code:

if (newBoost >= oldBoost) { poolBoost.workingSupply += (newBoost - oldBoost); }

else {

require(poolBoost.workingSupply >= (oldBoost - newBoost), "BoostController: Underflow in workingSupply");

poolBoost.workingSupply -= (oldBoost - newBoost); }

• This ensures that workingSupply is incremented or decremented properly rather than being overwritten.

2. Add a Safety Check for workingSupply Underflow

• Ensure that workingSupply does not become negative:

require(poolBoost.workingSupply >= 0, "BoostController: Invalid working supply");