Summary

The GaugeController contract includes a state variable, MIN_VOTE_WEIGHT (set to 100, representing a 1% minimum vote), but the vote function does not enforce this minimum weight when users cast their votes. This oversight allows vote weights below the intended threshold, leading to potential manipulation and unintended voting behavior in the gauge weight distribution.

Vulnerability Details

• Affected Function:

  function vote(address gauge, uint256 weight) external override whenNotPaused {

  if (!isGauge(gauge)) revert GaugeNotFound();

  if (weight > WEIGHT_PRECISION) revert InvalidWeight();

  uint256 votingPower = veRAACToken.balanceOf(msg.sender);

  if (votingPower == 0) revert NoVotingPower();

  //@audit-issue missing check for MIN_VOTE_WEIGHT

  uint256 oldWeight = userGaugeVotes[msg.sender][gauge];

  userGaugeVotes[msg.sender][gauge] = weight;

  _updateGaugeWeight(gauge, oldWeight, weight, votingPower);

  emit WeightUpdated(gauge, oldWeight, weight);

  }

• Issue:
  The vote function fails to ensure that the vote weight is at least MIN_VOTE_WEIGHT (100). This allows users to submit votes with weights below the intended minimum, which could distort the gauge weight calculations and lead to inaccurate distributions of rewards.

Impact

• Inaccurate Gauge Weight Calculation:
  Allowing votes with insufficient weight can result in a distorted gauge weight distribution, affecting the fairness and accuracy of the system.

• Potential for Manipulation:
  Without this check, malicious users could cast multiple votes with minimal weights, diminishing the influence of legitimate votes and manipulating the gauge weight distribution.

Tools Used

• Manual Code Review

Recommendations

1. Enforce Minimum Vote Weight:
   Add a validation in the vote function to ensure that the provided weight meets or exceeds the minimum threshold. For instance:

   if (weight < MIN_VOTE_WEIGHT) revert InvalidWeight(); // Or a specific error for insufficient vote weight