Submission Details
Severity:
In updateUserBoost() from BoostController.sol it updates the newboost of the user, but sets the workingSupply = user newBoost
Summary
In updateUserBoost() from BoostController.sol it updates the newboost of the user, but sets the workingSupply = user newBoost
Vulnerability Details
When updating the user boost it also updates the workingSupply of the pool, however it shouldn't newBoost of the user to be equal to the workingSupply of the pool, it should accumulate instead of being directly assigned:
function updateUserBoost(address user, address pool) external override nonReentrant whenNotPaused {
//code
uint256 newBoost = _calculateBoost(user, pool, 10000); // Base amount
userBoost.amount = newBoost;
userBoost.lastUpdateTime = block.timestamp;
// Update pool totals safely
if (newBoost >= oldBoost) {
poolBoost.totalBoost = poolBoost.totalBoost + (newBoost - oldBoost);
} else {
poolBoost.totalBoost = poolBoost.totalBoost - (oldBoost - newBoost);
}
poolBoost.workingSupply = newBoost; // Set working supply directly to new boost
//code
}
Impact
workignSupply is not working correctly and can revert in RemoveBoostDelegation, because of this
Tools Used
Recommendations
poolBoost.workingSupply += (newBoost - oldBoost); // Accumulate instead of replacing
Updates
Lead Judging Commences
inallhonesty about 2 months ago
Submission Judgement Published Assigned finding tags:
BoostController::updateUserBoost overwrites workingSupply with single user's boost value instead of accumulating, breaking reward multipliers and allowing last updater to capture all benefits
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.