Core Contracts

Overview

The _getBaseWeight function in the provided codebase is designed to interact with the GaugeController to retrieve the weight of a user. However, the function incorrectly passes the address of the BaseGauge contract (address(this)) instead of the user's address (account) to the GaugeController. This results in the wrong weight being retrieved, as the GaugeController is queried for the weight of the gauge itself rather than the user. This issue propagates to the getUserWeight function, which calls _applyBoost with the incorrect base weight, leading to further inaccuracies in boost calculations.

Vulnerability Details

1. Functionality of _getBaseWeight:

   • The _getBaseWeight function is intended to fetch the base weight of a user from the GaugeController.

   • It calls the getGaugeWeight function on the GaugeController contract, passing address(this) (the address of the BaseGauge contract) as the argument.

   • This means the function retrieves the weight of the BaseGauge contract itself, not the weight of the user (account).

2. Impact of Incorrect Weight Retrieval:

   • Incorrect Base Weight: The function returns the weight of the BaseGauge contract instead of the user's weight, leading to incorrect calculations in functions that depend on _getBaseWeight.

   • Broken Logic in getUserWeight: The getUserWeight function calls _applyBoost(account, baseWeight) to apply a boost multiplier to the base weight. If the base weight is incorrect, the boost calculation will also be incorrect.

   • User Exploitation: Users may receive incorrect rewards or boosts, leading to unfair advantages or disadvantages depending on the implementation.

3. Problem with _applyBoost:

   • The _applyBoost function is designed to calculate a boost multiplier based on the user's veToken balance and other parameters. It applies this boost to the base weight to determine the final weight used for reward distribution.

   • If the base weight passed to _applyBoost is incorrect (i.e., the weight of the BaseGauge contract instead of the user), the boost calculation will be applied to the wrong value, leading to:

     • Inaccurate Rewards: Users may receive more or fewer rewards than they are entitled to.

4. Example Scenario:

   • A user calls getUserWeight to check their weight for reward calculations.

   • The _getBaseWeight function retrieves the weight of the BaseGauge contract instead of the user's weight.

   • The getUserWeight function passes this incorrect base weight to _applyBoost.

   • The _applyBoost function calculates a boost multiplier based on the user's veToken balance but applies it to the wrong base weight, resulting in an incorrect final weight.

   • The user receives rewards based on this incorrect weight, leading to economic loss or gain depending on the direction of the error.

Code Analysis

Here is the relevant code snippet:

• Issue: The _getBaseWeight function passes address(this) to getGaugeWeight, which retrieves the weight of the BaseGauge contract instead of the user (account).

• Propagation to _applyBoost: The incorrect base weight is passed to _applyBoost, leading to incorrect boost calculations and reward distributions.

• Expected Behavior: The function should pass the account address to getGaugeWeight to retrieve the user's weight.

Recommendations

To fix this issue, modify the _getBaseWeight function to pass the account address to the GaugeController instead of address(this).

1. Update _getBaseWeight:

   • Change the argument passed to getGaugeWeight from address(this) to account.

   function _getBaseWeight(address account) internal view virtual returns (uint256) {

   return IGaugeController(controller).getGaugeWeight(account);

   }

2. Verify GaugeController Compatibility:

   • Ensure that the GaugeController contract's getGaugeWeight function is designed to accept and process user addresses (account) rather than gauge addresses.

3. Test the Fix:

   • Write unit tests to verify that the _getBaseWeight function now correctly retrieves the user's weight and that dependent functions (e.g., getUserWeight, _applyBoost) work as intended.

4. Review _applyBoost Logic:

   • Ensure that the _applyBoost function correctly calculates the boost multiplier based on the user's veToken balance and applies it to the correct base weight.

Conclusion

The _getBaseWeight function currently retrieves the weight of the BaseGauge contract instead of the user's weight due to the incorrect use of address(this). This issue propagates to the getUserWeight function, which calls _applyBoost with the incorrect base weight, leading to inaccurate boost calculations and reward distributions. By updating the function to pass the account address to the GaugeController, the contract will correctly retrieve and use the user's weight. This fix is critical for ensuring the contract operates as intended and maintains fairness in reward distribution.