Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect Reward Calculation in BaseGauge Due to Wrong Weight Retrieval

0xsagetony

Summary

An issue was identified in the BaseGauge.sol contract where the _getBaseWeight() function incorrectly retrieves the weight of the contract (address(this)) instead of the user's weight. This leads to incorrect reward calculations, preventing users from receiving their rightful rewards.

Vulnerability Details

Affected Function:

  • _getBaseWeight(address account) in BaseGauge.sol

Description:

The BaseGauge contract is responsible for handling staking and distributing rewards to users who deposit veRAAC tokens. When a user calls stake(), the updateReward modifier is triggered to calculate and update their rewards.

The _updateReward() function determines rewards by calling earned(), which relies on getUserWeight(). This function then calls _getBaseWeight() to retrieve the user’s base weight. However, instead of returning the user's weight, it mistakenly retrieves the contract’s weight (address(this)), causing miscalculations in the reward distribution.

Root Cause:

  • _getBaseWeight() incorrectly returns the contract’s weight instead of the user's weight.

Code Snippet:

function _getBaseWeight(
address account
) internal view virtual returns (uint256) {
return IGaugeController(controller).getGaugeWeight(address(this));
// return IGaugeController(controller).getGaugeWeight(account);
}

Proof of Concept (PoC)

Preconditions:

  • A user stakes veRAAC tokens in the BaseGauge contract.

  • The stake() function triggers updateReward(), which calls _updateReward().

  • _updateReward() calls earned(), which calls getUserWeight(), which then calls _getBaseWeight().

Steps to Trigger:

  1. The user stakes veRAAC tokens.

  2. The system calculates rewards based on _getBaseWeight().

  3. _getBaseWeight() retrieves the contract’s weight instead of the user’s.

  4. The reward calculation is incorrect, resulting in unfair reward distribution.

Impact

  • High Severity: Users are not receiving the correct rewards due to incorrect weight retrieval, leading to unfair reward distribution.

  • This flaw may discourage users from staking and participating in governance, affecting protocol adoption.

  • Long-term misallocation of rewards can impact the sustainability of the ecosystem.

Tools Used

Manual

Recommendations

To ensure accurate reward calculation, _getBaseWeight() should return the user’s weight instead of the contract’s:

function _getBaseWeight(
address account
) internal view virtual returns (uint256) {
return IGaugeController(controller).getGaugeWeight(account);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!