Manipulate rewards distributions to a gauges by voting manipulations
Summary
Attacker can down votes all gauges weights to 0 and prevents rewards distributions, i.e. breaks GaugeController functionality
Vulnerability Details
When user votes it's votingPower equals to the balance of the veRAACToken that can be freely transfered. Attacker can create multiple users, vote and transfer tokens to the next user and so on. As a result of such voting manipulation attacker can prevent rewards distribution using the following attack path:
vote with small amount of
veRAACTokenand bigweight.increase balance of
veRAACTokenand vote with 0weightgauge weight will be decreased (link):
uint256 newGaugeWeight = oldGaugeWeight - (oldWeight * votingPower / WEIGHT_PRECISION) + (newWeight * votingPower / WEIGHT_PRECISION)transfer
veRAACTokento next user and repeat gauge downvoting until it's weight will be decreased to 0gauge with 0 weight is excluded from rewards distribution (link)
Example:
some gauge has weight 1
first vote: attacker votes with
veRAACTokenbalance 1 and weight 10000,_updateGaugeWeight(link) will be called witholdWeight = 0, newWeight = 10000, votingPower = 1, new gauge weight will be
second vote: attacker increases it's
veRAACTokenbalance to 20000 and votes with weight 0,_updateGaugeWeightwill be called witholdWeight = 1, newWeight = 0, votingPower = 20000, calculate new gauge weight
Impact
Attacker can manipulate rewards distributions to a gauges
Tools Used
Manual code review
Recommendations
Use veRAACToken::getVotingPower (link) as votingPower instead of user's veRAACToken balance.
Lead Judging Commences
BaseGauge::_applyBoost, GaugeController::vote, BoostController::calculateBoost use balanceOf() instead of getVotingPower() for vote-escrow tokens, negating time-decay mechanism
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.