`_getBaseWeight` incorrectly calculates the weight of a user
Summary
The function _getBaseWeight is responsible for retrieving the user's current weight including any boosts. Unfortunately, even though the function accepts the parameter address account, it is not utilised within the execution process. Instead, we retrieve the contract's current gauge weight.
Vulnerability Details
The following line of code exhibits the vulnerability:
The account in context may have a balance, like 7500 (per the value in tests used as example via setInitialWeight) whereas the contract could have n leftover, or simply 0, which regardless, demonstrates incorrect accounting.
Impact
This would have a domino effect on functions which utilise this function, such as:
getUserWeight, which then negatively reflects on the process of_applyBoostearned()calculation as it usesgetUserWeight()within its operation for accounting reasons_updateRewardas it executesearned()
Tools Used
Manual review
Recommendations
Correctly address the account and not the contract.
Lead Judging Commences
BaseGauge::earned calculates rewards using getUserWeight instead of staked balances, potentially allowing users to claim rewards by gaining weight without proper reward checkpoint updates
BaseGauge::earned calculates rewards using getUserWeight instead of staked balances, potentially allowing users to claim rewards by gaining weight without proper reward checkpoint updates
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.