Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-07-GOLOM-FINDINGS-ISSUES-905
HistoryAug 01, 2022 - 12:00 a.m.

Possible to delegate same token

2022-08-0100:00:00
Code4rena
github.com
2
delegate token vulnerability
stackable delegations
voting power
mitigation steps
governance proposal
JSON

Lines of code

Vulnerability details

Impact

It’s possible to call delegate(tokenId1, tokenId2) using the same token tokenId1 multiple times. The previous delegated value isn’t deleted, and all delegations stack up.

This way tokenId2 will have all these tokens as delegated:

checkpoints[tokenId2][nCheckpoints-1].delegatedTokenIds = [tokenId1, tokenId1, ...]

When calculating the votes for this token, there’s no check that the delegated tokens are different, so the values all sum together.

Proof of Concept

Alice has two tokens. She calls delegate(tokenId1, tokenId2) multiple times, accruing the voting power of tokenId2 over her true token balance.
During a governance proposal, GovernorAlpha#castVote will call VoteEscrow#getPriorVotes getting an artificially high voting power. She can use this power to pass whatever proposal she likes.

Recommended Mitigation Steps

Consider adding a require(delegates[tokenId] == address(0)) in the function delegate. Changing a delegation this way requires the user to call removeDelegation beforehand.

The text was updated successfully, but these errors were encountered:

All reactions

JSON