delegateBoost doesnt update the poolBoost variables
Summary
It can be seen that when updateUserBoost is called in the BoostController.sol function, the poolBoost.totalBoost, poolBoost.workingSupply etc are updated accordingly. But this updation is missing when a user delegates using the delegateBoost() function
Vulnerability Details
In the updateUserBoost, the poolBoost variables are updated
But these updations are missing in the delegateBoost function. This causes the updateUserBoost to be unusable after sometime.Because assume user A has called the delegateBoost function which updates his userBoost.amount to 10 (for example). after a while his voting power comes down, and updateUserBoost function is called, here the reduction of his voting power is subtracted from the poolBoost.totalBoost. This will revert since it was never added in the first place thus going negative.
Impact
updateUserBoost function wont work, and entire accounting will be wrong.
Tools Used
manual review
Recommendations
update the poolBoost variables in the delegateBoost function too.
Lead Judging Commences
BoostController removes pool boost on delegation removal without adding it on delegation creation, leading to accounting inconsistencies and potential underflows
BoostController removes pool boost on delegation removal without adding it on delegation creation, leading to accounting inconsistencies and potential underflows
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.