Core Contracts

Summary

The contract calculates totalWeight using the amount of veToken locked by the BoostController itself. However, there is no indication that the BoostController ever locks veTokens. If totalWeight is zero, it could lead to incorrect boost calculations, affecting the fairness of the boost system.

Vulnerability Details

The issue originates in the updateTotalWeight function:

Here, totalWeight is determined by calling veToken.getLockPosition(address(this)).amount, which retrieves the amount of veToken locked by the BoostController contract itself. However, nowhere in the contract’s constructor or any of its functions does the BoostController lock veTokens.

Both _calculateBoost and calculateBoost rely on updateTotalWeight:

If totalWeight is zero, this value propagates into BoostCalculator.calculateTimeWeightedBoost, which likely assumes a nonzero totalWeight for proper scaling. This could result in unintended behavior, such as boosts not being applied correctly or the system failing to function as intended.

Impact

If totalWeight remains zero, boost calculations may not work as expected. This could lead to:

• Incorrect distribution of boosts, affecting fairness.

• Some users receiving little to no boost due to improper weight calculations.

• Potential division by zero errors or unintended outcomes in the boost calculation logic.

Tools Used

• Manual code review

Recommendations

1. Ensure that totalWeight correctly reflects meaningful data by verifying that the BoostController locks veTokens if it is expected to.

2. If the BoostController is not meant to lock veTokens, change the calculation to use a different metric that accurately represents the system's weight.

3. Add explicit checks to handle cases where totalWeight is zero to prevent unintended behaviors in BoostCalculator.calculateTimeWeightedBoost.