Summary

The _getBaseWeight function is meant to return the base weight for a specific user account. However, it incorrectly uses the contract’s own address (address(this)) instead of the provided account parameter. This causes the function to return the wrong weight, leading to incorrect calculations and improper reward distribution.

Vulnerability Details

Affected Function:

Issue:

• The function is designed to fetch the base weight for a given account, but instead, it retrieves the weight for the contract itself (address(this)), which is incorrect.

Expected Behavior:

• The function should use the account parameter to retrieve the appropriate weight for the specific user. The corrected code should be:

  return IGaugeController(controller).getGaugeWeight(account);

Impact

• Incorrect Reward Distribution: The wrong base weight leads to inaccurate calculations for rewards, potentially misaligning user incentives and damaging the reward system’s integrity.

• System Instability: Any processes or decisions relying on accurate user weights, such as vote weights or boost calculations, will be impacted, which could result in broader issues within the protocol.

Tools Used

• Manual Code Review

Recommendations

1. Fix the Implementation: Update the _getBaseWeight function to use the correct account parameter. The revised function should be:

   function _getBaseWeight(address account) internal view virtual returns (uint256) {

   return IGaugeController(controller).getGaugeWeight(account);

   }