Missing ‘Supported Pool’ Check in delegateBoost
Summary
The delegateBoost function allows delegating boosts to any address without verifying the recipient is a supported pool, which deviates from the expected design and may lead to unintentionally meaningless or misleading allocations.
Vulnerability Details
According to the BoostController.md, boosts are meant to be associated with recognized pools.
However, delegateBoost does not confirm to is in supportedPools[to]. This omission violates the intended structure for pool-based delegations. By letting users pass arbitrary addresses, the function updates userBoosts[msg.sender][to] as if to were a valid pool. Although this flaw does not directly compromise funds or governance, it creates confusion and undermines the system’s data integrity if delegations are assigned to non-pool addresses.
Impact
I'm rating this as a Low, but may escalate, as it primarily affects correctness and data integrity rather than direct fund loss. The user’s tokens remain safe, but the protocol’s mechanics for accurate pool-based boosts are compromised. The likelihood is **Medium/High **if any external user can call delegateBoost freely, because it only requires passing a non-pool address to cause confusion or spurious records in the system.
Tools Used
Manual Review
Recommendations
Add a pool check:
Lead Judging Commences
BoostController::delegateBoost lacks supported pool validation, allowing delegation to arbitrary addresses
BoostController::delegateBoost lacks supported pool validation, allowing delegation to arbitrary addresses
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.