Misuse of BoostController's Address for Global Boost Calculations
Summary
The BoostController contract currently retrieves global boost parameters by querying the veRAACToken contract using its own address. Since the BoostController is not intended to hold tokens, this approach results in inaccurate boost calculation inputs, potentially leading to incorrect reward distributions across the protocol.
Vulnerability Details
The updateTotalWeight() function calls veToken.getLockPosition(address(this)) to determine the total locked weight. As the BoostController contract is not designed to lock tokens, its lock position does not accurately reflect the global state. As a result, using the BoostController’s address to derive total weight, total voting power, and current voting power can lead to calculations that do not represent the actual user balances or aggregate protocol data.
Impact
Users may receive boost multipliers that do not accurately reflect their voting power, which could result in either dilution or inflation of rewards.Furthermore, the miscalculation can affect the incentives within the protocol, potentially undermining trust and participation.
Tools Used
Manual Review
Recommendations
Remove the use of the BoostController’s own address when retrieving lock position data. Instead, derive the total weight from a proper aggregation of user locks or a dedicated global state variable within the veRAACToken contract.
Lead Judging Commences
BoostController::updateTotalWeight queries its own nonexistent lock position and voting power when calculating boosts, resulting in zero values that break all boost calculations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.