Boost Delegation Lacks Pool-Specific Tracking in `BoostController`
Summary
In the BoostController contract, the boost delegation system allows users to delegate a portion of their boost to another address without specifying a pool, resulting in a “global delegation” stored as userBoosts[msg.sender][to]. This design lacks any link to a particular pool, making it unclear which pool’s rewards or boosts should be affected and leading to confusing or unintended behavior.
Vulnerability Details
The function delegateBoost writes to userBoosts[msg.sender][to] but does not include a pool parameter. This implies an all-encompassing delegation rather than a targeted delegation per pool.
Contracts typically require a user’s boosted balance to be pool-specific so that each pool can properly account for a user’s actual share of rewards.
Impact
Since the delegated amount is not tied to a specific pool, calculations for pool rewards could become inaccurate, leading to unfair distribution of yields or governance influence.
Tools Used
Manual Review
Recommendations
Use a nested mapping structure to store pool-specific delegation information, ensuring that each pool’s boosts are correctly tracked and distributed.
Lead Judging Commences
BoostController's delegation system fundamentally broken due to missing pool associations, treating recipient addresses as pools and never properly updating pool boost metrics
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.