Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

state disparencies issues between creating delegations and remove delegations

calc1f4r

Summary

The contract's boost delegation system has incorrect accounting that could lead to inflated or deflated boost values, affecting reward distributions a

Vulnerability Details

The BoostController contract has two critical accounting issues in its delegation system:

  1. Incomplete Pool Updates in delegateBoost()

  • When a user delegates boost to another address, the delegation amount is recorded but the recipient pool's totals are not updated

  • This leads to the pool's total cost and working supply being lower than they should be

  • The delegated boost power effectively "disappears" from accounting perspective

// @audit Missing critical pool updates:
// poolBoosts[to].totalBoost += amount;
// poolBoosts[to].workingSupply += amount;

  1. Incomplete Cleanup in removeBoostDelegation()

  • When removing a delegation, only the recipient's pool stats are updated

  • The original delegator's pool statistics are not properly adjusted

  • This could lead to "ghost" boost power remaining in the system

Impact

  • The total boost in the system becomes inaccurate, leading to systemic miscalculations

  • Users could receive incorrect reward multipliers due to miscounted boost values

Recommendations

  1. Update delegateBoost() to properly track pool totals:

function delegateBoost(address to, uint256 amount, uint256 duration) external {
// ... existing validation ...
UserBoost storage delegation = userBoosts[msg.sender][to];
delegation.amount = amount;
delegation.expiry = block.timestamp + duration;
delegation.delegatedTo = to;
// Add pool updates
PoolBoost storage recipientPool = poolBoosts[to];
recipientPool.totalBoost += amount;
recipientPool.workingSupply += amount;
recipientPool.lastUpdateTime = block.timestamp;
emit PoolBoostUpdated(to, recipientPool.totalBoost, recipientPool.workingSupply);
}

  1. Add complete cleanup in removeBoostDelegation():

function removeBoostDelegation(address from) external {
// ... existing validation ...
// Update recipient pool
PoolBoost storage recipientPool = poolBoosts[msg.sender];
recipientPool.totalBoost -= delegation.amount;
recipientPool.workingSupply -= delegation.amount;
recipientPool.lastUpdateTime = block.timestamp;
// Update delegator pool
PoolBoost storage delegatorPool = poolBoosts[from];
delegatorPool.totalBoost += delegation.amount; // Return boost to delegator
delegatorPool.workingSupply += delegation.amount;
delegatorPool.lastUpdateTime = block.timestamp;
emit PoolBoostUpdated(msg.sender, recipientPool.totalBoost, recipientPool.workingSupply);
emit PoolBoostUpdated(from, delegatorPool.totalBoost, delegatorPool.workingSupply);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

BoostController removes pool boost on delegation removal without adding it on delegation creation, leading to accounting inconsistencies and potential underflows

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!