Submission Details
Severity:
Faulty delegateBoost() and removeBoostDelegation() mechanics leads to diminished rewards
Description
The expected flow for delegation and undelegation of boost is the following with ❌ showing the step missing in the current implementation:
User A (has veToken) ----'delegateBoost()' to----> Pool X
1. Records delegation
2. Pool should get boost increase based on delegated veToken
- 'poolBoost.totalBoost' and 'poolBoost.workingSupply' is increased by the 'delgation.amount' added ❌
3. Boost affects pool's reward calculations
4. When undelegated ('removeBoostDelegation()' called by Pool X):
- Pool loses delegated boost
- Pool rewards recalculated
- 'poolBoost.totalBoost' and 'poolBoost.workingSupply' is decreased by the 'delgation.amount' removed
poolBoost.totalBoost and poolBoost.workingSupply are decreased when undelegating but are never increased when delegating. Over time, this reduces the boost and hence the rewards significantly.
Impact
Users get less than intended rewards. Gets worse over time.
Mitigation
poolBoost.totalBoost and poolBoost.workingSupply should be increased by the delgation.amount during delegateBoost().
Updates
Lead Judging Commences
inallhonesty 5 months ago
Submission Judgement Published Assigned finding tags:
BoostController removes pool boost on delegation removal without adding it on delegation creation, leading to accounting inconsistencies and potential underflows
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.