Lines of code
<https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/NontransferableERC20Votes.sol#L29&gt;
<https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/base/erc20/ERC20VotesUpgradeable.sol#L24&gt;

Vulnerability details

Impact

As stated in the comment on line 12 of NontransferableERC20Votes.sol, delegation of vote power can be done through the delegate function or by providing a signature to be used with delegateBySig. However, these functions do not prevent users from delegating to address(0), leading users to permanently lose their voting power, intentionally or accidentally.

Proof of Concept

A test demonstrating that delegation to address(0) is possible and indeed results in the loss of voting power. You can paste this into NontransferableERC20.t.sol. Also see: Issue in Nouns Builder repo for the same bug code-423n4/2022-09-nouns-builder-findings#203

function testVotingAndDelegationToAddress0() public {
        address delegate = address(0);
        uint256 mintAmount = 1000 * 1e18;

        // Mint tokens to the owner
        vm.startPrank(address(erc20TokenEmitter));
        erc20Token.mint(address(this), mintAmount);
        vm.stopPrank();

        // Delegate voting power
        erc20Token.delegate(delegate);

        // @bug Voting power is lost.
        assertEq(erc20Token.getVotes(delegate), 0);

        // Ensure that no tokens were transferred in the process of delegation
        assertEq(erc20Token.balanceOf(delegate), 0, "Delegation should not transfer tokens");
}

Tools Used

Manual Review

Recommended Mitigation Steps

Don’t allow delegation to address(0) by adding checks to both delegate and delegateBySig functions as the following:

require(delegatee != address(0), "Votes: delegate to the zero address");

Assessed type

Context

The text was updated successfully, but these errors were encountered:

All reactions