Core Contracts

Summary

A user's boost is calculated based on the current veRAAC Token balance and the boost multiplier that is represented in basis points. In BoostController.sol, updateUserBoost() will calculate a user's new boosted amount. However, due to hardcoding the input to pass in _calculateBoost()function that is being called internally, it will result in the updateUserBoost()function to return the boost multiplier instead.

Vulnerability Details

In the above function from BoostController.sol, line 11 calls _calculateBoost()- for the last parameter, 10000 is hardcoded.

BoostController._calculateBoost()

In the snippet below from BoostController._calculateBoost(), it now passes 10000 to be passed in BoostCalculator.calculateTimeWeightedBoost().

BoostCalculator.calculateTimeWeightedBoost()

Now in the function below, 10000 is passed as amount. In line 22, the boost basis points is being calculated via calculateBoost(). This returns basis points in the range of 10000 to 25000, as defined by the minimum and maximum basis points for boost multiplier.

Next in line 29, it now calculates the boostedAmount, taking (10000 * boostBasisPoints) / 10000, hence resulting in boostedAmount = boostBasisPoints.

Now back to BoostController.updateUserBoost(), the userBoost.amount = newBoost, which is the boostedAmount.

[updateUserBoost](https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/governance/boost/BoostController.sol#L189)

This hence stores the boostBasisPoints as the total boost of the user, rather than storing the actual boosted amount.

Impact

User's boosted amount is incorrectly stored. The user's boost multiplier is stored in basis points instead. This will gravely affect the calculation of boosted amount for users.

Tools Used

Manual

Recommendations

Ensure the amountpassed in BoostController._calculateBoost() is not hardcoded and instead passes the user's actual base amount before being multiplied by boost multiplier.