Lucene search

K
code423n4Code4renaCODE423N4:2023-12-AUTONOLAS-FINDINGS-ISSUES-451
HistoryJan 08, 2024 - 12:00 a.m.

MALICIOUS USER CAN DoS A NORMAL USER FROM LOCKING THE OLAS TOKENS FOR A SHORTER PERIOD OF TIME, TO GET VOTING POWER

2024-01-0800:00:00
Code4rena
github.com
4
access control
input validation
dos attack
token locking

AI Score

6.7

Confidence

High

Lines of code
<https://github.com/code-423n4/2023-12-autonolas/blob/main/governance/contracts/veOLAS.sol#L437-L439&gt;
<https://github.com/code-423n4/2023-12-autonolas/blob/main/governance/contracts/veOLAS.sol#L498-L500&gt;

Vulnerability details

Impact

The veOLAS.createLockFor function is used to deposit amount of OLAS tokens for account and locks for unlockTime. The createLockFor is an external function which can be called by any user since there is no access control. Hence any user can create a lock for any account by locking an OLAS token amount > 0.

The createLockFor function calls the veOLAS._createLockFor function which performs input validation checks on the passed in amount and unlockTime values to ensure they are in the acceptable ranges. Then the veOLAS._depositFor function is called for DepositType.CREATE_LOCK_TYPE transaction to create the lock by transferring the OLAS token amount from the msg.sender to the veOLAS contract.

Let’s assume the following scenario now:

  1. User A needs to deposit 1000 OLAS tokens for a Locked period of 1 Year.
  2. The normal user calls on the veOLAS.createLock function with the amount = 1000e18 and unlockTime = 1 YEAR.
  3. A malicious user sees this transaction and needs to DoS the User A on the Locked period of the OLAS token deposit.
  4. The malicious user front-runs the veOLAS.createLock transaction with the veOLAS.createLockFor transaction with the amount = 1 OLAS, unlockTime = 3 YEARS 364 DAYS, account = User A address.
  5. Since the input parameters provided to the veOLAS.createLock function are valid and are within the acceptable ranges the createLock transaction will execute.
  6. The createLock transaction will now revert since now the lockedBalance.amount > 0.
  7. Now the User A can increase his locked token amount by calling the veOLAS.increaseAmount but is not able to reduce the locked end time to 1 YEAR since it is already set to 3 YEARS 364 DAYS by the malicious user.
  8. There is no functionality to decrease the lock endtime of the locked OLAS tokens in the veOLAS contract. veOLAS.increaseUnlockTime function can not be used to reduce the lock end time since the transaction will revert if the lock end time is attempted to be reduced than the existing lock end time.
  9. Hence since the User A needs to OLAS token after one year and there is no way for him to withdraw the tokens only after one year (since the lockedBalance.endTime has already being set to 3 YEARS and 364 DAYS) he will not be able to locke his OLAS tokens to obtain the voting power.
  10. Thus a malicious user can DoS any valid user who intends to lock the tokens for a shorter period of time than the MAXTIME of 4 YEARS.
  11. Thus the normal user will not be able to lock his excessive OLAS tokens in the veOLAS contract to obtain the voting power for a shorter period.

Proof of Concept

    function createLockFor(address account, uint256 amount, uint256 unlockTime) external {
        // Check if the account address is zero
        if (account == address(0)) {
            revert ZeroAddress();
        }

        _createLockFor(account, amount, unlockTime);
    }

<https://github.com/code-423n4/2023-12-autonolas/blob/main/governance/contracts/veOLAS.sol#L411-L418&gt;

        if (lockedBalance.amount &gt; 0) {
            revert LockedValueNotZero(account, uint256(lockedBalance.amount));
        }

<https://github.com/code-423n4/2023-12-autonolas/blob/main/governance/contracts/veOLAS.sol#L437-L439&gt;

        if (unlockTime &lt; (lockedBalance.endTime + 1)) {
            revert UnlockTimeIncorrect(msg.sender, lockedBalance.endTime, unlockTime);
        }

<https://github.com/code-423n4/2023-12-autonolas/blob/main/governance/contracts/veOLAS.sol#L498-L500&gt;

Tools Used

Manual Review and VSCode

Recommended Mitigation Steps

Hence it is recommended to set a minimal deposit amount to be locked in the veOLAS tokens if any external user calls the veOLAS.createLockFor function to create a lock on behalf of another account. This way there is a loss to a malicious user if he tries to DoS a normal user by unreasonably increasing the locked time.

Furthermore a maximum locked time (Eg: 6 Months) can be introduced to the veOLAS.createLockFor which is much smaller than the MAXTIME of 4 YEARS. This way a malicious user will not be able to set the lock end time to a much larger value such as 3 YEARS and 364 DAYS as with the previous example. If the account owner needs to increase the lock end time in the future he can easily do it by calling the veOLAS.increaseUnlockTime function.

Assessed type

DoS


The text was updated successfully, but these errors were encountered:

All reactions

AI Score

6.7

Confidence

High