Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 78/125
Findings: 1
Award: $9.82
π Selected for report: 0
π Solo Findings: 0
π Selected for report: RED-LOTUS-REACH
Also found by: 0x3b, 0x4non, 0xCiphky, 0xDING99YA, 0xDetermination, 0xE1, 0xG0P1, 0xStalin, 0xWaitress, 0xbrett8571, 0xhacksmithh, 0xkazim, 0xmuxyz, 0xweb3boy, 14si2o_Flint, AlexCzm, Alhakista, Bube, Bughunter101, Deekshith99, Eeyore, Giorgio, HChang26, InAllHonesty, JP_Courses, KmanOfficial, MatricksDeCoder, Mike_Bello90, MrPotatoMagic, Naubit, QiuhaoLi, RHaO-sec, Raihan, Rolezn, SUPERMAN_I4G, Shubham, Silverskrrrt, Strausses, T1MOH, Topmark, Tripathi, Watermelon, _eperezok, aakansha, auditsea, audityourcontracts, ayden, carlos__alegre, castle_chain, cducrest, ch0bu, d23e, deadrxsezzz, deth, devival, erebus, fatherOfBlocks, halden, hassan-truscova, hpsb, hunter_w3b, imkapadia, immeas, jat, kaden, kaveyjoe, klau5, koxuan, kutugu, ladboy233, lanrebayode77, leasowillow, lsaudit, markus_ether, matrix_0wl, merlin, nemveer, ni8mare, nonseodion, oakcobalt, owadez, p_crypt0, pipidu83, piyushshukla, popular00, ppetrov, rjs, sandy, sl1, supervrijdag, tay054, thekmj, wahedtalash77, windhustler, zhaojie
9.8204 USDC - $9.82
change_gauge_weight function in the GaugeController contract can be used to update a gauge which is invalid.
The functions which are supposed to be called by the governance like add_gauge, remove_gauge check whether the gauge address in the input is valid. But, the function change_gauge_weight does not check for this validity. Due to this missing check, points_weight[_gauge][next_time].bias, time_weight[_gauge], points_sum[next_time].bias and time_sum get updated because of an invalid gauge value (where next_time = ((block.timestamp + WEEK) / WEEK) * WEEK;). Important to note that the points_sum[next_time].bias variable gets updated here.
When gauge_relative_weight is called for time = next_time, the relative weight for different valid gauges is reduced because the value points_sum[t].bias gets updated when change_gauge_weight was called previously.
function _gauge_relative_weight(address _gauge, uint256 _time) private view returns (uint256) { uint256 t = (_time / WEEK) * WEEK; uint256 total_weight = points_sum[t].bias; if (total_weight > 0) { uint256 gauge_weight = points_weight[_gauge][t].bias; return (MULTIPLIER * gauge_weight) / total_weight; } else { return 0; } }
This is problematic because the inflation amount received by a gauge equals inflation_rate * relative_weight / 1e18. So, lower inflation will be received by other valid gauges because of the update made due to an invalid gauge.
Manual review
In the function gauge_relative_weight, add the following check:
require(isValidGauge[_gauge], "Invalid gauge address");
Invalid Validation
#0 - 141345
2023-08-13T07:13:21Z
no loss
QA might be more appropriate.
#1 - OpenCoreCH
2023-08-16T15:14:26Z
#2 - c4-sponsor
2023-08-16T15:14:35Z
OpenCoreCH marked the issue as disagree with severity
#3 - c4-sponsor
2023-08-16T15:14:39Z
OpenCoreCH marked the issue as sponsor acknowledged
#4 - alcueca
2023-08-24T06:10:21Z
Function incorrect as to spec, no proof of impact.
#5 - c4-judge
2023-08-24T06:10:25Z
alcueca changed the severity to QA (Quality Assurance)
#6 - c4-judge
2023-08-24T06:10:30Z
alcueca marked the issue as grade-a