Core Contracts

Summary

In the GaugeController's updateGaugeWeight function there is a flaw in the calculation that leads to the newGaugeWeight being returned less than the previous weights even when the users vote with votes > than the previous ones

Vulnerability Details

Lets get straight to the issue with an example: Suppose there are 2 users- A, B and all of them vote on the same gauge
-> User A first calls the weight function with weight = 2000, now the g.weight will = oldGaugeWeight -((oldWeight * votingPower) / WEIGHT_PRECISION) + ((newWeight * votingPower) / WEIGHT_PRECISION); i.e as this is the very first deposit so the oldWeight will be 0 keep in mind. so this will return: 0 - (0 * 3000e18) / 10000 + (2000 * 3000e18) / 10000 = 600e18

-> UserB comes and calls vote with weight = 1500. Now lets take the calculation formula being used in the function- oldGaugeWeight - ((oldWeight * votingPower) / WEIGHT_PRECISION) + ((newWeight * votingPower) / WEIGHT_PRECISION); note that this time also oldWeight = 0 as the USERB's first deposit. So,: 600e18-((0 * 2000e18) / 10000) + ((1500 * 2000e18) / 10000) = 900e18-> newGaugeWeight

-> Now lets say the the userA wants to increase the weight using his voting power by 1000 and he comes again and this time his voting power reduced a little and now he votes with weight = 1000. Now the calculation will be:
900e18 - ((2000 * 1000e18) / 10000) + ((1000 * 1000e18) / 10000) = 800e18
As can be seen that the new weight of the gauge reduces even after the user increases it with 1000 basis points.

Recommendations

Refactor the code and the calculation such as the newWeight of gauge returns the correct values.