Old vote of the user is not correctly removed in the GuageController.sol _updateGaugeWeight() function
Summary
In the _updateGuageWEight() function, the new guage weight is calculated by removing the old vote of the same user and adding the new vote made by the user. But the removal of the old vote uses the new voting power of the user instead of the old power. This causes incorrect amount to be subtracted.
Vulnerability Details
Assume the following scenario of a user :(using v.p= votingpower)
-
v.p = 10, weight = 1000 => newWeight = 0 - 0 + 1000*10/1e4 = 1
-
v.p of user reduces
v.p = 1, weight = 1 => newWeight = 1 - 1000x1/1e4 + 1 x1/1e4 = 1 -
v.p of user increases
v.p = 10, weight = 1000 => newWeight = 1 - 1x10/1e4 + 10x1000/1e4 = 2|
It can be seen that the code doesnt expect the voting power of the user to reduce/increase and this is wrong. A user can essentially keep adding to his original vote by manipulating his voting power accordingly.
Impact
User's can manipulate their voting on the guage weight
Tools Used
manual review
Recommendations
Keep track of the old voting power of the user
Lead Judging Commences
GaugeController::_updateGaugeWeight uses current voting power for both old and new vote calculations, causing underflows when voting power increases and incorrect gauge weights
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.