Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Stale Data Issue in BoostController Contract

recur

Summary

The updateUserBoost function in the BoostController contract can return outdated boost values due to an unresolved delegation lock issue. As delegations do not reset automatically after expiry and depend on the recipient manually removing them, users might be working with stale data, which can result in incorrect calculations and potential unfairness in the boost distribution process.

Vulnerability Details

Affected Function:

function updateUserBoost(address user, address pool) external override nonReentrant whenNotPaused {
if (paused()) revert EmergencyPaused();
if (user == address(0)) revert InvalidPool();
if (!supportedPools[pool]) revert PoolNotSupported();
UserBoost storage userBoost = userBoosts[user][pool];
PoolBoost storage poolBoost = poolBoosts[pool];
uint256 oldBoost = userBoost.amount;
// Calculate new boost based on current veToken balance
uint256 newBoost = _calculateBoost(user, pool, 10000); // Base amount
userBoost.amount = newBoost;
userBoost.lastUpdateTime = block.timestamp;
// Update pool totals safely
if (newBoost >= oldBoost) {
poolBoost.totalBoost = poolBoost.totalBoost + (newBoost - oldBoost);
} else {
poolBoost.totalBoost = poolBoost.totalBoost - (oldBoost - newBoost);
}
poolBoost.workingSupply = newBoost; // Set working supply directly to new boost //@audit
poolBoost.lastUpdateTime = block.timestamp;
emit BoostUpdated(user, pool, newBoost);
emit PoolBoostUpdated(pool, poolBoost.totalBoost, poolBoost.workingSupply);
}

Root Cause:

  • The delegateBoost function prevents a user from re-delegating until the recipient removes the expired delegation manually.

  • As a result, when updateUserBoost is called, it may fetch outdated data because expired delegations are still active. The function will calculate a new boost based on an old delegation state, which can lead to incorrect boost values for both users and pools.

Problems Caused:

  1. Inaccurate Boost Values: Since the expired delegation is not automatically cleared, the new boost might be calculated using stale data, leading to incorrect boost values.

  2. Unfair Boost Distribution: Pool boost totals and individual user boosts might not accurately reflect current delegations, leading to unfair reward distribution.

Impact:

  • Incorrect User Boost Values: Users might receive incorrect boost values, leading to unfair reward calculations.

  • Misallocation of Pool Boosts: The pool’s total boost might be incorrectly updated due to reliance on outdated user boost values.

Tools Used:

  • Manual Code Review

Recommendations:

  1. Automatically Clear Expired Delegations: Modify the delegateBoost function to clear expired delegations before calculating boosts.

    if (delegation.expiry <= block.timestamp) {
    delete userBoosts[msg.sender][to]; // Clear expired delegation automatically
    }

  2. Verify and Remove Stale Data in updateUserBoost: Implement a check in updateUserBoost to ensure that expired delegations are cleared before updating user boosts.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController: Users unable to remove their own expired boost delegations, creating dependency on recipients and preventing efficient reallocation of boosts

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!