Lines of code
<https://github.com/code-423n4/2023-12-autonolas/blob/main/governance/contracts/veOLAS.sol#L437-L439>
<https://github.com/code-423n4/2023-12-autonolas/blob/main/governance/contracts/veOLAS.sol#L498-L500>
The veOLAS.createLockFor function is used to deposit amount of OLAS tokens for account and locks for unlockTime. The createLockFor is an external function which can be called by any user since there is no access control. Hence any user can create a lock for any account by locking an OLAS token amount > 0.
The createLockFor function calls the veOLAS._createLockFor function which performs input validation checks on the passed in amount and unlockTime values to ensure they are in the acceptable ranges. Then the veOLAS._depositFor function is called for DepositType.CREATE_LOCK_TYPE transaction to create the lock by transferring the OLAS token amount from the msg.sender to the veOLAS contract.
Letβs assume the following scenario now:
function createLockFor(address account, uint256 amount, uint256 unlockTime) external {
// Check if the account address is zero
if (account == address(0)) {
revert ZeroAddress();
}
_createLockFor(account, amount, unlockTime);
}
if (lockedBalance.amount > 0) {
revert LockedValueNotZero(account, uint256(lockedBalance.amount));
}
if (unlockTime < (lockedBalance.endTime + 1)) {
revert UnlockTimeIncorrect(msg.sender, lockedBalance.endTime, unlockTime);
}
Manual Review and VSCode
Hence it is recommended to set a minimal deposit amount to be locked in the veOLAS tokens if any external user calls the veOLAS.createLockFor function to create a lock on behalf of another account. This way there is a loss to a malicious user if he tries to DoS a normal user by unreasonably increasing the locked time.
Furthermore a maximum locked time (Eg: 6 Months) can be introduced to the veOLAS.createLockFor which is much smaller than the MAXTIME of 4 YEARS. This way a malicious user will not be able to set the lock end time to a much larger value such as 3 YEARS and 364 DAYS as with the previous example. If the account owner needs to increase the lock end time in the future he can easily do it by calling the veOLAS.increaseUnlockTime function.
DoS
The text was updated successfully, but these errors were encountered:
All reactions