Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Users Cannot Remove Their Own Boost Delegation, Causing Potential Lock-In

johny7173

Summary

The removeBoostDelegation function in BoostController.sol can only be called by the pool to remove a user’s boost. This results in incorrect boost values until the function is called by the pool. Additionally, a user may be unable to delegate their boost to another pool if the original pool does not execute removeBoostDelegation.

Vulnerability Details

The removeBoostDelegation function currently restricts its execution to the pool that received the delegation. This means users cannot manually revoke their delegation, leaving them dependent on the pool to release their boost. This behavior introduces two issues:

Until removeBoostDelegation is called, the boost values remain incorrect.
If the ability to delegate more boost than available is fixed, a user may be entirely blocked from delegating again until the pool voluntarily removes the delegation.

The relevant code snippet:

function removeBoostDelegation(address from) external override nonReentrant {

UserBoost storage delegation = userBoosts[from][msg.sender];

if (delegation.delegatedTo != msg.sender) revert DelegationNotFound();

if (delegation.expiry > block.timestamp) revert InvalidDelegationDuration();

PoolBoost storage poolBoost = poolBoosts[msg.sender];

if (poolBoost.totalBoost >= delegation.amount) {

poolBoost.totalBoost -= delegation.amount;

}

if (poolBoost.workingSupply >= delegation.amount) {

poolBoost.workingSupply -= delegation.amount;

}

poolBoost.lastUpdateTime = block.timestamp;

emit DelegationRemoved(from, msg.sender, delegation.amount);

delete userBoosts[from][msg.sender];

}

The function checks that msg.sender is the pool that received the boost delegation and prevents any other caller from executing the removal, including the user who originally delegated the boost.

Impact

Users may get locked into a boost delegation if the pool does not actively call removeBoostDelegation.
Until the pool removes the delegation, boost values remain incorrect.
If an issue allowing excess delegation is fixed, users may be completely unable to re-delegate their boost until the pool executes the function.

Tools Used

Manual code review

Recommended Mitigation

Allow users to call removeBoostDelegation themselves, ensuring they can revoke their own delegation when needed. This can be achieved by modifying the function to permit either the delegating user or the pool to execute it.
This ensures that users can remove their own delegations while maintaining security constraints.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

BoostController: Users unable to remove their own expired boost delegations, creating dependency on recipients and preventing efficient reallocation of boosts

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.