Summary

The getBoostMultiplier function in the BoostController contract is intended to calculate the boost multiplier for a user in a specific pool. However, due to an error in the calculation logic, the function always returns the maximum boost value (MAX_BOOST), resulting in incorrect boost multipliers for users.

Vulnerability Details

Affected Function:

Root Cause:

1. The baseAmount is calculated as:

   uint256 baseAmount = userBoost.amount * 10000 / MAX_BOOST;

   This was intended to normalize the userBoost.amount but in most cases results in a value that is a fraction of MAX_BOOST.

2. The return statement calculates the boost multiplier as:

   return userBoost.amount * 10000 / baseAmount;

   Since baseAmount is already a fraction of MAX_BOOST, this formula effectively cancels out the normalization process, resulting in the value always being MAX_BOOST (i.e., 25000 basis points), regardless of the actual boost amount.

Calculation Breakdown:

Assume userBoost.amount = 10000:

Why Does it Always Return MAX_BOOST (25000)?

• The baseAmount calculation inadvertently cancels out the effect of userBoost.amount, leading to a final result of MAX_BOOST, which is always 25000.

• Regardless of the actual value of userBoost.amount, the function will always return MAX_BOOST.

Impact

• Incorrect Boost Multiplier: Users will always receive the maximum boost multiplier (MAX_BOOST) even if their actual boost is lower.

• Incorrect Reward Distribution: Since the boost multiplier is incorrectly calculated, the rewards distribution based on boost multipliers will be inaccurate, potentially leading to unfair or imbalanced rewards.

Tools Used

• Manual Code Review

Recommendations

1. Fix the Boost Multiplier Calculation: Modify the calculation to properly reflect the user's boost amount. A corrected formula could be:

   return MIN_BOOST + (userBoost.amount * (MAX_BOOST - MIN_BOOST) / MAX_BOOST);