Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Missing Vote Delay Enforcement in GaugeController

sparrow

Summary

GaugeController.sol contract defines a vote delay mechanism but fails to enforce it, allowing users to vote multiple times in rapid succession, potentially manipulating gauge weights and reward distributions.

Vulnerability Details

  • The contract defines constants for vote delay:

uint256 public constant VOTE_DELAY = 10 days;
mapping(address => uint256) public lastVoteTime;

  • However, in the vote() function, these mechanisms are never used:

function vote(address gauge, uint256 weight) external override whenNotPaused {
if (!isGauge(gauge)) revert GaugeNotFound();
if (weight > WEIGHT_PRECISION) revert InvalidWeight();
uint256 votingPower = veRAACToken.balanceOf(msg.sender);
if (votingPower == 0) revert NoVotingPower();
uint256 oldWeight = userGaugeVotes[msg.sender][gauge];
userGaugeVotes[msg.sender][gauge] = weight;
_updateGaugeWeight(gauge, oldWeight, weight, votingPower);
emit WeightUpdated(gauge, oldWeight, weight);
}

Impact

  • Users can vote multiple times without any time restriction

  • Potential for vote manipulation and reward distribution attacks

  • Undermines the entire voting mechanism's fairness

  • Could lead to unfair resource allocation in the protocol

Tools Used

  • Manual code review

Recommendations

  • Implement vote delay enforcement in the vote() function:

function vote(address gauge, uint256 weight) external override whenNotPaused {
if (!isGauge(gauge)) revert GaugeNotFound();
if (weight > WEIGHT_PRECISION) revert InvalidWeight();
// Add vote delay check
if (block.timestamp < lastVoteTime[msg.sender] + VOTE_DELAY)
revert VotingDelayNotElapsed();
uint256 votingPower = veRAACToken.balanceOf(msg.sender);
if (votingPower == 0) revert NoVotingPower();
uint256 oldWeight = userGaugeVotes[msg.sender][gauge];
userGaugeVotes[msg.sender][gauge] = weight;
_updateGaugeWeight(gauge, oldWeight, weight, votingPower);
// Update last vote time
lastVoteTime[msg.sender] = block.timestamp;
emit WeightUpdated(gauge, oldWeight, weight);
}

  • Add a custom error for vote delay:

error VotingDelayNotElapsed();
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

GaugeController::vote never enforces VOTE_DELAY or updates lastVoteTime, allowing users to spam votes and manipulate gauge weights without waiting

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

GaugeController::vote never enforces VOTE_DELAY or updates lastVoteTime, allowing users to spam votes and manipulate gauge weights without waiting

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.