Core Contracts

Summary

In the _updateBoostState function, the global boost state variable _boostState.votingPower is set to the current voting power of the specific user for whom the function is called. This overwrites the global value with a user-specific value.

Vulnerability Details

The root cause is a design flaw in the update logic. Instead of accumulating or maintaining a global total, the function directly assigns the user’s voting power to _boostState.votingPower.

For example, if User A has 1,000 voting power and User B has 2,000 voting power, calling _updateBoostState(A, ...) sets _boostState.votingPower to 1,000. Later, when calculating boosts for User B, the boost state incorrectly reflects only 1,000 instead of the total 3,000, resulting in an erroneously high boost multiplier for User B.

Impact

Since _boostState.votingPower is intended to represent the total or aggregate voting power relevant for boost calculations, overwriting it with one user’s voting power corrupts the boost calculations for all users. This means that subsequent boost multipliers might be computed based on an incorrect base, leading to unfair or inconsistent reward boosts.

Recommendations

Revise _updateBoostState to update the boost state variables in a way that aggregates the voting power across all users or maintains an independent accurate global total. The function should not override the global voting power with a single user’s value; instead, it should compute or update it based on all active locks.