Code4renaCODE423N4:2022-02-POOLTOGETHER-FINDINGS-ISSUES-13Bypass MAX_LOCK duration + External calls even when delegation is locked
Lines of code
<https://github.com/pooltogether/v4-twab-delegator/blob/master/contracts/Delegation.sol#L40>
Vulnerability details
Impact
Delegation owner can change the MAX_LOCK duration even though current lock set on delegation has not yet expired
Also Delegation owner can execute calls even when delegation is locked
Proof of Concept
Bypass MAX_LOCK:
-
User A creates a new Delegation using createDelegation function at TWABDelegator.sol#L226. User A has set _lockDuration as 1 year.
-
The delegation gets created and delegation _owner is set as User A
-
User A wants to use updateDelegatee function but since _lockDuration is not over so the function fails
-
User A simply calls the setLockUntil function at Delegation.sol#L52 (address of this is returned in step 1). Since User A is owner of this delegation, he is allowed to call this function
-
Since MAX_LOCK check is not present in setLockUntil function, User A simply sets the lock timestamp as 0 and goes ahead with updateDelegatee function at TWABDelegator.sol#L258 which now works
Execute Calls with locked Delegation:
-
User A creates a new Delegation using createDelegation function at TWABDelegator.sol#L226. User A has set _lockDuration as 1 year.
-
The delegation gets created and delegation _owner is set as User A
-
User A wants to use update Delegatee or transfer function but since _lockDuration is not over so the function fails
-
User A simply calls the executeCalls function with required selector on Delegation.sol#L40 which works since User A is owner of this delegation
Recommended Mitigation Steps
Add a modifier check on both setLockUntil and executeCalls so that these are only callable from TWABDelegator.sol contract
The text was updated successfully, but these errors were encountered:
All reactions