Core Contracts

Summary

The getBoostMultiplier function in the BoostController contract has an arithmetic flaw that causes it to always return the maximum boost multiplier (25000 basis points) whenever a boost is present, regardless of the actual boost value.

Vulnerability Details

The function calculates an intermediary value (baseAmount) using the formula:

and then computes the multiplier as:

For any nonzero userBoost.amount, this simplifies to always returning MAX_BOOST (25000 basis points). For example, if userBoost.amount is 10000 (representing a 1× boost), the computation ends up returning 25000, and if it is 25000 (representing a 2.5× boost), it also returns 25000.

The boost value (userBoost.amount) is already stored in basis points (between MIN_BOOST and MAX_BOOST). The additional division and multiplication do not introduce variability; instead, they force the returned value to equal the maximum boost, regardless of the actual stored boost value.

Impact

• Incorrect Display of Boost Values:
  Users and any interfacing systems relying on getBoostMultiplier will always see the maximum boost (2.5×) even when the actual boost is lower. This misrepresentation can lead to erroneous user expectations and incorrect off-chain data processing.

Tools Used

Manual Review

Recommendations

• Simplify the Getter Function:
  Since userBoost.amount is already maintained in basis points (ranging from 10000 to 25000), the function should simply return userBoost.amount directly without further manipulation.

• Review Calculation Logic:
  Reevaluate the intended semantics of the boost multiplier. If a transformation is required, adjust the arithmetic operations to correctly reflect the relationship between the stored boost value and the effective multiplier.