31416 - [SC - Insight] Impossible to set boostMultiplier to MIN_BOOST
Submitted on May 18th 2024 at 20:29:44 UTC by @RNemes for Boost | Alchemix
Report ID: #31416
Report type: Smart Contract
Report severity: Insight
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol
Impacts:
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Description
Brief/Intro
The setBoostMultiplier function in the contract contains a logic flaw where the check for _boostMultiplier being greater than MIN_BOOST inadvertently prevents setting the boostMultiplier to MIN_BOOST, which is defined as zero. This prevents users from setting the boostMultiplier to its minimum allowed value, potentially leading to unexpected behavior or inability to achieve certain intended configurations.
Vulnerability Details
The vulnerability lies in the setBoostMultiplier function's requirement check:
Given the definition:
The condition _boostMultiplier > MIN_BOOST translates to _boostMultiplier > 0, which means _boostMultiplier must be greater than zero. Therefore, it's impossible to set _boostMultiplier to zero, even though zero is defined as the minimum boost allowed (MIN_BOOST). This restriction can prevent the proper functioning of the contract if setting the boostMultiplier to zero is a required use case.
Impact Details
The impact of this vulnerability is primarily operational rather than financial. If the boostMultiplier needs to be set to zero for certain operations or configurations, the current implementation will prevent this, potentially leading to incorrect contract behavior or inability to revert to a default state. This could disrupt contract functionality and the ability of the admin to control the boostMultiplier as intended. In scenarios where setting the multiplier to zero is necessary for security or protocol reasons, this bug could pose a more significant risk.
Proof of Concept
Add the following failing test to src/test/Voting.t.sol
Last updated