Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect Pool Working Supply Update in updateUserBoost

johnlaw

Summary

The updateUserBoost function erroneously sets the pool's aggregate working supply to an individual user's boost value instead of updating it in an aggregated fashion. This vulnerability enables a user to manipulate the pool's total boost metrics by overwriting the working supply.

Vulnerability Details

In the updateUserBoost function, after recalculating a user's boost, adjusts the pool’s total boost correctly by adding or subtracting the difference between the new and old boost values, but the function then directly assigns poolBoost.workingSupply the value of newBoost, which belongs solely to the individual user. This action breaks the security guarantee that pool-level metrics represent the aggregate boost of all users. A malicious user repeatedly calling updateUserBoost can arbitrarily set the pool's workingSupply, resulting in manipulated boost metrics across the pool.

// Calculate new boost for the user
uint256 newBoost = _calculateBoost(user, pool, 10000); // newBoost is the current user's boost
// Update the pool's total boost based on the difference between the new and old boost values
if (newBoost >= oldBoost) {
poolBoost.totalBoost = poolBoost.totalBoost + (newBoost - oldBoost);
} else {
poolBoost.totalBoost = poolBoost.totalBoost - (oldBoost - newBoost);
}
// @audit: instead of adding up boosts for all users, this line replaces the pool's working supply
poolBoost.workingSupply = newBoost; // overwrites the aggregate with one user's boost value

Impact

Rating this as High because this compromises the integrity of the pool's boost metrics, which are used for calculating rewards, governance influence, and other critical protocol parameters.

The attack occurs deterministically every time a user calls updateUserBoost and is easily executable by any participant with access to update their boost. The flaw has a severe impact on pool-level calculations and overall system fairness, as it allows a single user to control an aggregate metric that must be collectively maintained.

Tools Used

Manual Review

Recommendations

Change the overwriting (poolBoost.workingSupply = newBoost) into an incremental update that adds or subtracts the difference in the user’s new boost vs. their old boost.

// Update pool totals safely: adjust totalBoost based on the difference between new and old boost values
if (newBoost >= oldBoost) {
uint256 diff = newBoost - oldBoost;
poolBoost.totalBoost = poolBoost.totalBoost + diff;
// Instead of overwriting, increment workingSupply cumulatively
poolBoost.workingSupply = poolBoost.workingSupply + diff;
} else {
uint256 diff = oldBoost - newBoost;
poolBoost.totalBoost = poolBoost.totalBoost - diff;
// Instead of overwriting, decrement workingSupply cumulatively
poolBoost.workingSupply = poolBoost.workingSupply - diff;
}
poolBoost.lastUpdateTime = block.timestamp;
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController::updateUserBoost overwrites workingSupply with single user's boost value instead of accumulating, breaking reward multipliers and allowing last updater to capture all benefits

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.