Lines of code
<https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L110-L112&gt;

Vulnerability details

Impact

ENS (ERC20Votes) token transferred to the proxy contract will be lost forever. As delegation amount is out of sync with the ERC1155 balance if the ENS token is transferred to the proxy contract.

Proof of Concept

When the user delegates 100 tokens to A, the ERC1155 balance will be 100.

After that, somebody transfers 20 tokens to the proxy contract. Result in 120 tokens actually being delegated but ERC1155 balance remains 100.

        if (sourcesLength > 0) {
            _burnBatch(msg.sender, sources, amounts[:sourcesLength]);
        }

When the user tries to undelegate 120 tokens, it will call _burnBatch to burn the ERC1155 token. However, only 100 ERC1155 token exists. So, it can’t burn 120 tokens resulting in a revert.

Tools Used

Manual Review

Recommended Mitigation Steps

If burn more than balance should be clamped to the balance. It shouldn’t cause a problem as _reimburse has already withdrawn that amount to the user’s wallet.

Assessed type

Token-Transfer

The text was updated successfully, but these errors were encountered:

All reactions