Inspex - If admin kill a gauge, user’s voting power for that gauge may lost 1 or 2 cycles

[sherlock-admin2]

Inspex

medium

If admin kill a gauge, user’s voting power for that gauge may lost 1 or 2 cycles

Summary

After a user votes for a gauge, they are unable to vote for the same gauge again for 10 days due to the vote delay.

During this period, if the user votes for a gauge that might be killed at the end of the cycle, they may not be able to vote for the other gauge in the current or next cycle, as one cycle lasts for 7 days, and there is a 10-day delay.

Vulnerability Detail

For example:

1. Bob uses 10,000 voting power for gauge A at day 6 of cycle 1.
2. At day 7 of cycle 1, the admin kills gauge A.
3. Bob needs to call vote_for_gauge_weights with _user_weight = 0 again to receive his voting power back.
4. Due to the vote delay for 10 days, Bob will lose the voting power for cycle 1 and cycle 2.

Impact

If the admin kills a gauge, a user's voting power for the current or next gauge may be lost.

Code Snippet

https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Locking/GaugeController.vy#L16

https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Locking/GaugeController.vy#L603

https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Locking/GaugeController.vy#L623

https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Locking/GaugeController.vy#L640

Tool used

Visual Studio Code / Manual Review

Recommendation

Delay the time before killing the gauge.

[nevillehuang]

See this comment here.