Lines of code
<https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/Delegation.sol#L40>
Delegation owner can change the MAX_LOCK duration even though current lock set on delegation has not yet expired
Also Delegation owner can execute calls even when delegation is locked
Bypass MAX_LOCK:
User A creates a new Delegation using createDelegation function at TWABDelegator.sol#L226. User A has set _lockDuration as 1 year.
The delegation gets created and delegation _owner is set as User A
User A wants to use updateDelegatee function but since _lockDuration is not over so the function fails
User A simply calls the setLockUntil function at Delegation.sol#L52 (address of this is returned in step 1). Since User A is owner of this delegation, he is allowed to call this function
Since MAX_LOCK check is not present in setLockUntil function, User A simply sets the lock timestamp as 0 and goes ahead with updateDelegatee function at TWABDelegator.sol#L258 which now works
Execute Calls with locked Delegation:
User A creates a new Delegation using createDelegation function at TWABDelegator.sol#L226. User A has set _lockDuration as 1 year.
The delegation gets created and delegation _owner is set as User A
User A wants to use update Delegatee or transfer function but since _lockDuration is not over so the function fails
User A simply calls the executeCalls function with required selector on Delegation.sol#L40 which works since User A is owner of this delegation
Add a modifier check on both setLockUntil and executeCalls so that these are only callable from TWABDelegator.sol contract
The text was updated successfully, but these errors were encountered:
All reactions