Gauge Weight Manipulation due to Incorrect Voting Power Reference
Summary:
The GaugeController.sol gauge weight calculation incorrectly uses current voting power instead of historical voting power when removing old votes, allowing manipulation of gauge weights through changes in voting power between votes.
Vulnerability Details:
In the GaugeController.sol:: _updateGaugeWeight
Mathematical proof of manipulation:
Initial vote:
Voting power: 500
Vote weight: 60% (6000)
Added to gauge: (6000 500) / 10000 = 300
Later, with increased voting power:
New voting power: 1000
When removing old vote: (6000 1000) / 10000 = 600
Removes 600 when only 300 was added!
Result:
Gauge weight reduced by 300 more than it should be
Could lead to underflow if gauge weight < excess removal amount
Impact:
Gauge weights can be manipulated by changing voting power between votes
Incorrect gauge weight calculations affect reward distribution
Possible underflow when removing more weight than contributed
Undermines the entire voting mechanism's integrity
Could lead to unfair reward allocations
Tools Used:
Manual code review
Recommendations:
Track historical voting power with votes.
Add vote power snapshot system.
Lead Judging Commences
GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.