Over-allocation of votes, leading to **manipulation** of gauge weights.
Summary
The vote function allows users to allocate their voting power to a specific gauge, adjusting its weight accordingly. The function enforces key restrictions, such as ensuring the gauge exists, validating weight limits, and confirming the user has voting power. The updated weight is stored and processed in _updateGaugeWeight, followed by emitting an event.
Vulnerability Details
1. Lack of Total Weight Constraint
Issue:
-
The function does not verify whether the sum of a user's votes across multiple gauges exceeds their available
votingPower. -
A user can potentially distribute more weight than their actual balance, leading to unfair voting influence.
-
This is the general design of the gauges used by the protocols;
Example of a Valid Vote Distribution:
If a user has 5,000 votes, they should be able to allocate:
✅ Gauge A → 2,000 votes
✅ Gauge B → 2,000 votes
✅ Gauge C → 1,000 votes
✅ Total Used = 5,000 votes
Impact:
Could result in over-allocation of votes, leading to manipulation of gauge weights.
The system may assume incorrect weight distributions, affecting rewards and governance.
Tools Used
Manual code review
Recommendations
Implement a total vote limit per user to prevent over-allocation.
Introduce a cooldown period to prevent rapid vote switching.
Lead Judging Commences
GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously
GaugeController::vote lacks total weight tracking, allowing users to allocate 100% of voting power to multiple gauges simultaneously
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.