30 matches found
Delegate system can be used to increase voting power without resetting the lockEnd
Lines of code Vulnerability details Impact The added delegate mechanism allows increasing the voting power without resetting the lockEnd. Proof of Concept IncreaseAmount increases the locked amount of a msg.sender staked native in VotingEscrow and resets its lockEnd to block.timestamp + LOCKTIME...
Decayed voting power can be restored by delegating to newer lock
Lines of code Vulnerability details Impact Delegation to newer lock updates slope and bias of delegatee according to new delegated amount and lengthier lock time which leads to decayed voting power from delegator older lock to be restored // @audit - slope and bias being updated according to...
createLock, increaseAmount int128(int256(_value)) unsafe downcast can lead to asset loss
Lines of code Vulnerability details Impact Suppose users deposit more than typeint128.max value through createLock and increaseAmount, they may get less voting power and can't get the assets back. Proof of Concept The VotingEscrow.sol is forked from FIATDAO, but it seems don't consider a MEDIUM...
Voters can vote on a single pool multiple times by redelegating
Lines of code Vulnerability details Impact Users should be able to have only one concurrent vote on a pool in GaugeController. When a user votes the weight of his vote is calculated using his userweight parameter and the slope and end time of his balance lock are used to calculate the bias for th...
Users can vote infinitely via delegation
Lines of code Vulnerability details Summary GaugeControllervoteforgaugeweights is designed to allow users to vote for gauge rewards based on the amount of $CANTO they have locked in the VotingEscrow contract. VotingEscrow includes functionality for users to delegate their voting power to another...
Delegated Votes Blocking Delegator Undelegation
Lines of code Vulnerability details Impact Once a delegator has delegated their votes to a delegatee, and the delegatee employs those votes in an ongoing proposal, the delegator loses the ability to undelegate their votes. VotingEscrow::delegate is used to delegate user A's votes to User B. Once...
Double voting in GaugeController
Lines of code Vulnerability details Impact Voting with the same collateral multiple times by delegating and undelegating, a process that could manipulatively influenceincrease the weight of a particular lending market where the malicious actor is the major Liquidity provider. Proof of Concept The...
Fixed locking period of 5 years doesn't allow the delegator to withdraw funds for atleast another 5 years
Lines of code Vulnerability details Details Let's first understand how the process of delegation, withdraw and increaseAmount works 1. Rule 1: To delegate to some user A, A.lock.end needs to be longer than msg.sender.lock.end and A.Lock.end block.timestampLock mustn't be expired...
GaugeController.sol isn't updated when voting power is delegated, enabling users to arbitrarily increase gauge weight
Lines of code Vulnerability details Impact A malicious user can arbitrarily increase any gauge's weight, resulting in loss of rewards for lenders of other gauges. Proof of Concept Note that the below code snippet from GaugeController.voteforgaugeweights called by users to cast and change votes...
User is able to delegate to delegatee with shorter lock when calling increaseAmount()
Lines of code Vulnerability details Impact When a user "user A" calls increaseAmount, if he had previously delegated his lock to another user "delegatee" this would update the end of the lock for "user A" while increasing the amount of delegated for the other user aka "delegatee". This is...
increaseUnlockTime missing _checkpoint for delegated values
Lines of code Vulnerability details PNM-001 increaseUnlockTime missing checkpoint for delegated values. Links Description In the VotingEscrow contract, users can increase their voting power by: Adding more funds to their delegated valule Increasing the time of their lock Being delegated by anothe...
Attackers can abuse the quitLock function to get a very large amount of votes
Lines of code Vulnerability details Impact An attacker can use a flashloan and the quitLock function to achieve a large amount of votes for one transaction. It can, depends on the implementation of the modules that will use this contract, be used to pass malicious proposals or exploit any feature...
Unsafe usage of ERC20 transfer and transferFrom
Lines of code Vulnerability details Impact Some ERC20 tokens functions don't return a boolean, for example USDT, BNB, OMG. So the VotingEscrow contract simply won't work with tokens like that as the token. Proof of Concept The USDT's transfer and transferFrom functions doesn't return a bool, so t...
checkpointing of same state values in increaseUnlockTime()
Lines of code Vulnerability details Impact oldLocked and locked referes to same LockedBalance in increaseUnlockTime while calling checkpoint Proof of Concept // See IVotingEscrow for documentation function increaseUnlockTimeuint256 unlockTime ........ LockedBalance memory locked = lockedmsg.sende...
Some ERC20 tokens don't return bool values
Lines of code Vulnerability details Impact VotingEscrow will not work for such tokens. Proof of Concept This issue is same as a previous contest. In the implementation of token transfer, the return value is checked after token transfer. But some tokens do not return bool values. After DM, I know...
VotingEscrow: Anyone can call the collectPenalty function
Lines of code Vulnerability details Impact In the VotingEscrow contract, anyone can call the collectPenalty function to send penalty tokens to the penaltyRecipient address. However, if the private key of the penaltyRecipient address is compromised, the attacker can immediately call the...
VotingEscrow: uninitialized blocklist will DOS the contract
Lines of code Vulnerability details Impact The checkBlocklist modifier calls the isBlocked function for the blocklist address, but the blocklist is not initialized in the constructor, only assigned by the owner in the updateBlocklist function. This means that after the contract is deployed and...
The toLocked.end >= fromLocked.end in delegate function is inconsistent with design.
Lines of code Vulnerability details Impact The condition of toLocked.end = fromLocked.end in function delegate is inconsistent with design in veFDT Checkpoint Math Proof of Concept In VotingEscrow.sol. L589 requiretoLocked.end = fromLocked.end, "Only delegate to longer lock"; But In veFDT...
VotingEscrow.increaseUnlockTime() uses wrong unlock time for old lock.
Lines of code Vulnerability details Impact VotingEscrow.increaseUnlockTime uses wrong unlock time for old lock. The user's voting power might be calculated wrongly. Proof of Concept As we can see from CheckpointMath, the oldLock.end should be original value but it uses the increased unlocktime...
Blocklist contract lack an unblock mechanism
Lines of code Vulnerability details Impact In Blocklist contract, the manager can block a contract from accessing VotingEscrow by calling the block function. If the manager calls the block function on a contract due to some misunderstanding, the manager cannot resume the contract's access to...