Self-Delegation in boost controller
Summary
The current implementation allows users to delegate their boost to themselves (to == msg.sender). This creates a potential vector for boost manipulation as users could artificially inflate their apparent boost power through self-referential delegation.
Affected code
Vulnerability Details
A user calls delegateBoost() with their own address as to parameter
Contract stores delegation in userBoosts[msg.sender][msg.sender]
System treats this as valid delegation:
delegation.amount increases user's apparent boost
No cooldown/limit on self-delegation renewals
Delegation expiry can be repeatedly extended
Result of delegation
Impact
This allows the attacker to double-count their voting power.
Users could bypass delegation limits by creating circular references
Distortion of boost calculations
Possible inflation of voting power metrics
Undermining of delegation incentive structure
Malicious Flow
User with 1000 veRaac balance
calls delegateBoost(self, 1000,365days)
System now accounts for:
Base balance: 1000
Delegated balance: 1000
Total perceived: 2000 (2x inflation)
Where :
UserVP = Actual voting power (1000)
DelegatedVP = Self-delegated (1000)
TotalVP = 1000 (real) + 1000 (fake) = 2000
Recommendations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.