Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-03-PALADIN-FINDINGS-ISSUES-77
HistoryApr 02, 2022 - 12:00 a.m.

System could be wrapped and made useless without contract whitelisting

2022-04-0200:00:00
Code4rena
github.com
4
JSON

Lines of code
<https://github.com/code-423n4/2022-03-paladin/blob/9c26ec8556298fb1dc3cf71f471aadad3a5c74a0/contracts/HolyPaladinToken.sol#L284&gt;
<https://github.com/code-423n4/2022-03-paladin/blob/9c26ec8556298fb1dc3cf71f471aadad3a5c74a0/contracts/HolyPaladinToken.sol#L268&gt;

Vulnerability details

Impact

Anyone could create a contract or a contract factory β€œPAL Locker” with a fonction to deposit PAL tokens through a contract, lock them and delegate the voting power to the contract owner. Then, the ownership of this contract could be sold. By doing so, locked hPAL would be made liquid and transferrable again. This would eventually break the overall system of hPAL, where the idea is that you have to lock them to make them non liquid to get a boosted voting power and reward rate.

Paladin should expect this behavior to happen as we’ve seen it happening with veToken models and model implying locking features (see <https://lockers.stakedao.org/&gt; and <https://www.convexfinance.com/&gt;).

This behavior could eventually be beneficial to the original DAO (ex. <https://www.convexfinance.com/&gt; for Curve and Frax), but the original DAO needs to at least be able to blacklist / whitelist such contracts and actors to ensure their interests are aligned with the protocol.

Proof of Concept

To make locked hPAL liquid, Alice could create a contact C. Then, she can deposit hPAL through the contract, lock them and delegate voting power to herself. She can then sell or tokenize the ownership of the contract C.

Recommended Mitigation Steps

Depending of if Paladin wants to be optimistic or pessimistic, implement a whitelisting / blacklisting system for contracts.

See:
<https://github.com/curvefi/curve-dao-contracts/blob/4e428823c8ae9c0f8a669d796006fade11edb141/contracts/VotingEscrow.vy#L185&gt;

<https://github.com/FraxFinance/frax-solidity/blob/7375949a73042c1e6dd14848fc4ea1ba62e36fb5/src/hardhat/contracts/FXS/veFXS_Solidity.sol.old#L370&gt;

The text was updated successfully, but these errors were encountered:

All reactions

JSON