Core Contracts

Summary

A vulnerability has been identified in the _calculateBoost function in BoostController.sol, where users with zero veToken balance are granted an unintended high boost amount. This issue arises because instead of returning 0, the function returns the base amount, leading to incorrect reward calculations and potential unfair advantages.

Vulnerability Details

Root Cause

1. The function currently includes the following condition:

   if (userBalance == 0 || totalSupply == 0) {

   return amount;//<@ faulty logic

   }

   • If a user has zero veToken balance, the function returns the base amount (10000 in some cases).

   • This means users with zero veToken holdings receive the maximum boost, which is incorrect.

Issue Explanation

• Users without any voting power (veToken holdings) should receive no boost or a minimal one.

• Instead, they receive 10000, potentially leading to unfair distribution of rewards.

• This contradicts the expected mechanism where boosts are calculated based on veToken holdings.

Impact

• Users with zero veToken get an unfair high boost, distorting the reward distribution.

• Encourages gaming of the system where users can receive rewards without proper participation.

• Could lead to financial losses for genuine participants who have locked tokens expecting higher rewards.

Tools Used

• Manual code review

Recommendations

To prevent this issue, the _calculateBoost function should return 0 when a user has no veToken balance instead of the base amount.

Fixed _calculateBoost Function's logic: