User can delegateBoost() to multiple addresses with the same veToken balance
Summary
User can delegateBoost() to multiple addresses with the same veToken balance
Vulnerability Details
BoostController.delegateBoost() allows caller to delegate their voting power to another addresses, however the function does not take into account how much boost the caller (msg.sender) has delegated so far, opening the possibility of multiple addresses being delegated with the same voting power.
Impact
User can delegate boost (equivalent to 100% of their voting power) to multiple addresses, making the overall boost of the contract much higher than what it should be.
Tools Used
Manual review
Recommendations
Add a new state variable `mapping (address => uint256) alreadyDelegated` which shows how much a user has delegated so far. This variable must be increased for msg.sender when boost is delegated and decreases when delegated boost is removed.
Lead Judging Commences
BoostController::delegateBoost lacks total delegation tracking, allowing users to delegate the same veTokens multiple times to different pools for amplified influence and rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.