8 matches found
GaugeController` allows for quick vote and withdraw
Lines of code Vulnerability details This issue was identified in the original Curve Finance audit, finding ID TOB-CURVE-DAO-004. It remains unresolved in the mkt.market implementation, but was fixed in the Curve implementation. Impact A malicious voter is able to use full voting power for multipl...
Voters can vote on a single pool multiple times by redelegating
Lines of code Vulnerability details Impact Users should be able to have only one concurrent vote on a pool in GaugeController. When a user votes the weight of his vote is calculated using his userweight parameter and the slope and end time of his balance lock are used to calculate the bias for th...
GaugeController - Vulnerability with changing gauge weight would make the contract stop working
Lines of code Vulnerability details Impact The issue is applied differently based on how changegaugeweight works. 1. When changing gauge weight is essential for every enabled gauge before any vote happens An attacker can front-run changegaugeweight transaction to manipulate slope which can result...
Users can vote infinitely via delegation
Lines of code Vulnerability details Summary GaugeControllervoteforgaugeweights is designed to allow users to vote for gauge rewards based on the amount of $CANTO they have locked in the VotingEscrow contract. VotingEscrow includes functionality for users to delegate their voting power to another...
GaugeController allows for quick vote and withdraw voting strategy
Lines of code Vulnerability details Summary The GaugeController voting can be abused to apply all of the user's weight in every gauge's vote. GaugeController's voting changes the weight of the gauge. Each user can split their voting weight power between the gauges function...
Double voting in GaugeController
Lines of code Vulnerability details Impact Voting with the same collateral multiple times by delegating and undelegating, a process that could manipulatively influenceincrease the weight of a particular lending market where the malicious actor is the major Liquidity provider. Proof of Concept The...
A user can make sybil attack for manipulate gaugeController dao
Lines of code Vulnerability details Impact When voteforgaugeweights used contract just take info of users slope of exact time. And there is no extra check mechanism in protocol for control is user's delegate amount so slope too until user use voteforgaugeweights. So a user can use...
GaugeController.sol isn't updated when voting power is delegated, enabling users to arbitrarily increase gauge weight
Lines of code Vulnerability details Impact A malicious user can arbitrarily increase any gauge's weight, resulting in loss of rewards for lenders of other gauges. Proof of Concept Note that the below code snippet from GaugeController.voteforgaugeweights called by users to cast and change votes...