Submission Details
Severity:
No check for self boost delegation
Summary
The BoostController::delegateBoost() function does not prevent users from delegating boost to themselves.
Vulnerability Details
The function allows users to delegate boost to any address, including their own.
Since userBoosts[msg.sender][to] stores delegation records, delegating to oneself will lead to earning more rewards (with boost multipliers based on user weight) from the Gauge.
Impact
Users may exploit this to increase their effective boost unfairly.
Recommendations
Add a check to ensure that users cannot delegate boost to themselves:
[contracts/core/governance/boost/BoostController.sol]
212 function delegateBoost(
213 address to,
214 uint256 amount,
215 uint256 duration
216 ) external override nonReentrant {
217 if (paused()) revert EmergencyPaused();
218 if (to == address(0)) revert InvalidPool();
+ if (to == msg.sender) revert InvalidDelegation();
219 if (amount == 0) revert InvalidBoostAmount();
220 if (duration < MIN_DELEGATION_DURATION || duration > MAX_DELEGATION_DURATION)
221 revert InvalidDelegationDuration();
222
223 uint256 userBalance = IERC20(address(veToken)).balanceOf(msg.sender);
224 if (userBalance < amount) revert InsufficientVeBalance();
225
226 UserBoost storage delegation = userBoosts[msg.sender][to];
227 if (delegation.amount > 0) revert BoostAlreadyDelegated();
228
229 delegation.amount = amount;
230 delegation.expiry = block.timestamp + duration;
231 delegation.delegatedTo = to;
232 delegation.lastUpdateTime = block.timestamp;
233
234 emit BoostDelegated(msg.sender, to, amount, duration);
235 }
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.