6 matches found
Delegating older lock to a newer one does not allow to undelegate it
Lines of code Vulnerability details Impact User who accidentally delegates his lock to the newer one, will get his lock stuck. User won't be able to undelegate his lock, because function delegate will always revert. Please notice, that this is the different issue than previously reported:...
A delegatee can frontrun the delegator's call to increaseUnlockTime to prevent the delegator to withdraw or quitlock
Lines of code Vulnerability details Impact Charlie and Alice both create a lock, with Alice's lock being longer than Charlie's. Charlie then delegates to Alice. At this point, if Charlie wants to unlock his tokens he can call withdraw or quitLock, but not with a delegation in place see 1, 2, so h...
Wrong logic in increaseUnlockTime() function in case undelegated lock and call _checkpoint()
Lines of code Vulnerability details Impact In increaseUnlockTime function, in case it’s undelegated lock, it calls checkpoint for msg.sender with oldLocked and locked. But actually, these 2 locks oldLocked and locked are the same. It makes the logic in checkpoint function works incorrectly. Proof...
Inconsistent logic of increase unlock time to the expired locks
Lines of code Vulnerability details 2022-08-fiatdao Inconsistent logic of increase unlock time to the expired locks Impact Can not prevent expired locks being extended. Proof of Concept Call function function increaseUnlockTime with an expired lock lockedmsg.sender.end block.timestamp Case 1: if...
Voting Escrow System could be wrapped and made useless without contract whitelisting
Lines of code Vulnerability details Impact Anyone could create a contract or a contract factory, say “Velo Locker" with a fonction to deposit VELO tokens through a contract, lock them and delegate the voting power to the contract owner. Then, the ownership of this contract could be sold, or the...
MochiTreasuryV0.sol Is Unusable In Its Current State
Handle leastwood Vulnerability details Impact MochiTreasuryV0.sol interacts with Curve's voting escrow contract to lock tokens for 90 days, where it can be later withdrawn by the governance role. However, VotingEscrow.vy does not allow contracts to call the following functions; createlock,...