Core Contracts

Summary

In the GaugeController::_updateGaugeWeight function, the calculation of the new gauge weight can result in weights exceeding the maximum allowed value of 10000 (or WEIGHT_PRECISION). This occurs due to flawed logic in the weight update calculation, which does not properly enforce the upper limit on gauge weights. As a result, users can manipulate gauge weights, leading to unfair distributions of rewards or incentives.

Vulnerability Details

The _updateGaugeWeight function calculates the new gauge weight using the following formula:

This calculation does not enforce an upper limit on the resulting weight, allowing it to exceed WEIGHT_PRECISION (10000). For example:

• If oldGaugeWeight is 5000, oldWeight is 5000, newWeight is85000, and votingPower is 1e18, the calculation would result in:

  newGaugeWeight = 5000 - (5000 * 1e18 / 10000) + (8000 * 1e18 / 10000)

  = 5000 - 5* 1e17 + 8 * 1e17

  = 5000 + 3 * 1e17

• However, if the values are not properly constrained, the resulting weight could exceed 10000, violating the protocol's intended limits.

Impact

The vulnerability has the following consequences:

• Inconsistent Gauge Weights: The flawed logic can lead to incorrect gauge weights, affecting the fairness and accuracy of the protocol.

For example, here uint256 gaugeShare = (g.weight * WEIGHT_PRECISION) / totalWeight;, it is possible to result to 0, based on the totalWeight, where some gauges can have extremelly high values for weights. Also the scaling in the