Lucene search

HistoryAug 01, 2022 - 12:00 a.m.

Possible to delegate same token


Lines of code

Vulnerability details


It’s possible to call delegate(tokenId1, tokenId2) using the same token tokenId1 multiple times. The previous delegated value isn’t deleted, and all delegations stack up.

This way tokenId2 will have all these tokens as delegated:

checkpoints[tokenId2][nCheckpoints-1].delegatedTokenIds = [tokenId1, tokenId1, ...]

When calculating the votes for this token, there’s no check that the delegated tokens are different, so the values all sum together.

Proof of Concept

Alice has two tokens. She calls delegate(tokenId1, tokenId2) multiple times, accruing the voting power of tokenId2 over her true token balance.
During a governance proposal, GovernorAlpha#castVote will call VoteEscrow#getPriorVotes getting an artificially high voting power. She can use this power to pass whatever proposal she likes.

Recommended Mitigation Steps

Consider adding a require(delegates[tokenId] == address(0)) in the function delegate. Changing a delegation this way requires the user to call removeDelegation beforehand.

The text was updated successfully, but these errors were encountered:

All reactions