14 matches found
Linux Distros Unpatched Vulnerability : CVE-2021-21326
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI befor...
Decayed voting power can be restored by delegating to newer lock
Lines of code Vulnerability details Impact Delegation to newer lock updates slope and bias of delegatee according to new delegated amount and lengthier lock time which leads to decayed voting power from delegator older lock to be restored // @audit - slope and bias being updated according to...
Delegated Votes Blocking Delegator Undelegation
Lines of code Vulnerability details Impact Once a delegator has delegated their votes to a delegatee, and the delegatee employs those votes in an ongoing proposal, the delegator loses the ability to undelegate their votes. VotingEscrow::delegate is used to delegate user A's votes to User B. Once...
[MEDIUM] NFTBoostVault#addNftAndDelegate - Not setting a delegatee in the addNftAndDelegate will cause the addTokens function and updateNft to revert
Lines of code Vulnerability details Impact The absence of a delegatee in the addNftAndDelegate function in the NFTBoostVault contract will cause the addTokens and updateNft functions to revert. This is due to the assumption that a delegatee has been set, which is not always true. This issue may...
voting power is insufficiently tracked
Lines of code Vulnerability details Impact Historical balance tracking of votingPower is not stored due to values being updated in memory rather than storage. This means old delegatees may retain voting power which should have been removed from them, new delegatees may not not receive their...
User who stakes into StRSRVotes doesn't have any voting power
Lines of code Vulnerability details Impact User who stakes into StRSRVotes doesn't have any voting power. This is not intuitive clear and user who thinks that he can vote, actually will not be able until he will delegate votes to himself. Proof of Concept StRSRVotes contract extends StRSR which h...
User can lose all governance power
Lines of code Vulnerability details Impact Contract is missing self delegation in case of delegateBySig function. This means if delegateBySig is called with zero address delegatee then User votes will be burned instead of setting delegatee to signatory Proof of Concept 1. User calls delegateBySig...
Functions quitLock and delegate fundamentally change game theory of VoteEscrow
Lines of code Vulnerability details Impact Without delegation it is not possible to remove voting power before the end of a lock. Function quitLock now makes this possible, but it does not just affect the user who quits the lock. Any votes that are delegated to them are temporarily lost from the...
A delegatee can frontrun the delegator's call to increaseUnlockTime to prevent the delegator to withdraw or quitlock
Lines of code Vulnerability details Impact Charlie and Alice both create a lock, with Alice's lock being longer than Charlie's. Charlie then delegates to Alice. At this point, if Charlie wants to unlock his tokens he can call withdraw or quitLock, but not with a delegation in place see 1, 2, so h...
A malicious delegatee can always block the delegator from undelegating the lock
Lines of code Vulnerability details Impact A user who has delegated his/hers voting power to a delegatee can break his/hers delegate only by submitting a lock with a higher expiration time than the delegatee after a successful call to increaseUnlockTime function. After that, he has to call the...
The _checkpoint function won't be called for a user which is both a delegator and a delegatee in the increaseUnlockTime function
Lines of code Vulnerability details Impact The virtual balance of a user is calculated using 2 values - the amount that is delegated to that user, and his lock period. When calling the increaseUnlockTime function, we want to checkpoint the user's data as long as he doesn't have any funds. This is...
Delegator funds can be stuck or face losses for up to a year through a bad delegatee.
Lines of code Vulnerability details Impact The contest documentation states: Users may delegate ther lock to another user whereby they give the delegatee control over their lock expiration and balance i.e. voting power. ... Moreover, the delegatee's lock expiration needs to be longer than the...
Design/Logic Flaw
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems enabled. This is...
PT-2021-14423 · Glpi +1 · Glpi +1
Name of the Vulnerable Software and Affected Versions: GLPI versions prior to 9.5.4 Description: The issue allows creating tickets for another user with the self-service interface without having delegatee systems enabled. Recommendations: For versions prior to 9.5.4, update to version 9.5.4 to...