Submission Details
Severity:
`BaseGauge._getBaseWeight`: wrong value fetched
Summary
The BaseGauge._getBaseWeight function which takes address account as an input parameter never uses it, and returns instead the value for the address(this) every time.
Vulnerability Details
File: contracts/core/governance/gauges/BaseGauge.sol
218: function _getBaseWeight(address account) internal view virtual returns (uint256) {
219: return IGaugeController(controller).getGaugeWeight(address(this)); <@ should be `account`
220: }
...:
...: //* ------------------ some code ---------------- *//
...:
594: function getUserWeight(address account) public view virtual returns (uint256) {
595: uint256 baseWeight = _getBaseWeight(account);
596: return _applyBoost(account, baseWeight);
597: }
Impact
That function is called by BaseGauge.earned, which is called and used by BaseGauge._updateReward to compute account reward.
Recommendations
File: contracts/core/governance/gauges/BaseGauge.sol
function _getBaseWeight(address account) internal view virtual returns (uint256) {
- return IGaugeController(controller).getGaugeWeight(address(this));
+ return IGaugeController(controller).getGaugeWeight(address(account));
}
Updates
Lead Judging Commences
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
BaseGauge._getBaseWeight ignores account parameter and returns gauge's total weight, allowing users to claim rewards from gauges they never voted for or staked in
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.