The `userGaugeVotes` mapping is updated incorrectly in the `vote function` of the GaugeController contract.
Vulnerability Details
The userGaugeVotes mapping is updated incorrectly in the vote function of the GaugeController contract. When an user votes for gaugeWeights via the vote function, evrytime the userGaugeVotes mapping is updated to whatever the weight the user passes in. But if the user comes and votes again lets say on the same gauge this mapping is overwritten with that weight instead of ebing updated with the increased weight i.e what is supposed to be done here. Lets take an example to understand this:
-> Suppose there are 2 gauges just for simplicity and example's sake: GaugeA and GaugeB
Now a user comes and calls the vote function passing in the GaugeA as gauge param and in the weight param he passes in 2000.
Now after this call executes, the mapping will be updated to- userGaugeVotes[msg.sender][gaugeA] = 2000;
Now the same user after some time later comes again to vote and he again calls vote with lets again gaugeA but this time the weight that he passes in is lets say 3000. Now what will happen is that the userGaugeVotes mapping will be updated to: userGaugeVotes[msg.sender][gaugeA] = 3000; however instead of that it should be updated to 5000 taking in the account the previous weight too that the user voted with
Tools Used
Manual Review
Recommendations
Update that mapping like this:
+userGaugeVotes[msg.sender][gauge] += weight;
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.