Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-04-XTRIBE-FINDINGS-ISSUES-42
HistoryApr 27, 2022 - 12:00 a.m.

_incrementGaugeWeight allows user to add weight to nonexistent gauges

2022-04-2700:00:00
Code4rena
github.com
4
JSON

Lines of code

Vulnerability details

Impact

User adds weight to a gauge that hasn’t been added

In addition to adding to a nonexistent gauge it also increments _totalWeight which only contains weight for live gauges. This value then results in <https://github.com/fei-protocol/flywheel-v2/blob/77bfadf388db25cf5917d39cd9c0ad920f404aad/src/token/ERC20Gauges.sol#L208&gt; returning values for reward distribution that account for the nonexistent gauge but never send tokens to it resulting in reward tokens being permanently stuck in FlywheelGaugeRewards.sol

Proof of Concept

For a mapping all keys exist in solidity so using a key that has not been added will instead returns an empty weight. This means that nothing would throw an error allowing the user to add weight to a nonexistent gauge

Tools Used

Recommended Mitigation Steps

Use isGauge() instead of _deprecatedGauges.contains(gauge)

The text was updated successfully, but these errors were encountered:

All reactions

JSON