Back to 0xmuxyz's contests

Arcade.xyz - 0xmuxyz's results

The first of its kind Web3 platform to enable liquid lending markets for NFTs.

General Information

Platform: Code4rena

Start Date: 21/07/2023

Pot Size: $90,500 USDC

Total HM: 8

Participants: 60

Period: 7 days

Judge: 0xean

Total Solo HM: 2

Id: 264

League: ETH

Arcade.xyz

Findings Distribution

Researcher Performance

Rank: 40/60

Findings: 1

Award: $312.74

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryArcade.xyz

Findings Information

🌟 Selected for report: ktg

Also found by: 0x3b, 0xastronatey, 0xbranded, 0xmuxyz, 0xnev, BenRai, Viktor_Cortess, caventa, oakcobalt, sces60107

Labels

bug
2 (Med Risk)
satisfactory
duplicate-283

Awards

312.7392 USDC - $312.74

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/NFTBoostVault.sol#L579-L599 https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/NFTBoostVault.sol#L114-L126 https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/NFTBoostVault.sol#L182-L212

Vulnerability details

Impact

The NFTBoostVault#_syncVotingPower() would not be called in the following functions despite it is supposed to be called:

  • NFTBoostVault#addNftAndDelegate()
  • NFTBoostVault#delegate()

The voting power of the userAddresses, who call these functions above, are not updated unless someone call the NFTBoostVault#updateVotingPower(). If anyone will not call the NFTBoostVault#updateVotingPower() for a long time, the voting power of the userAddresses, who call these functions (NFTBoostVault#addNftAndDelegate() and NFTBoostVault#delegate()) above, may not be increased for a long time. This means that the voting power of these userAddresses may not be multiplied for a long time until the NFTBoostVault#updateVotingPower() would be called.

Proof of Concept

The NFTBoostVault#_syncVotingPower() is the function, which is used for updating a delegatee's voting power like this: https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/NFTBoostVault.sol#L579-L599

    /**
     * @dev Helper to update a delegatee's voting power.
     *
     * @param who                        The address who's voting power we need to sync.
     *
     * @param registration               The storage pointer to the registration of that user.
     */
    function _syncVotingPower(address who, NFTBoostVaultStorage.Registration storage registration) internal {
        History.HistoricalBalances memory votingPower = _votingPower();
        uint256 delegateeVotes = votingPower.loadTop(registration.delegatee);

        uint256 newVotingPower = _currentVotingPower(registration);
        // get the change in voting power. Negative if the voting power is reduced
        int256 change = int256(newVotingPower) - int256(uint256(registration.latestVotingPower));

        // do nothing if there is no change
        if (change == 0) return;
        if (change > 0) {
            votingPower.push(registration.delegatee, delegateeVotes + uint256(change));
        } else {
            // if the change is negative, we multiply by -1 to avoid underflow when casting
            votingPower.push(registration.delegatee, delegateeVotes - uint256(change * -1));
        }

        registration.latestVotingPower = uint128(newVotingPower);

        emit VoteChange(who, registration.delegatee, change);
    }

The NFTBoostVault#_syncVotingPower() above would be called in the following functions:

However, the NFTBoostVault#_syncVotingPower() above would not be called in the following functions despite it is supposed to be called:

The voting power of the userAddresses, who call these functions above, are not updated unless someone call the NFTBoostVault#updateVotingPower(). If anyone will not call the NFTBoostVault#updateVotingPower() for a long time, the voting power of the userAddresses, who call these functions (NFTBoostVault#addNftAndDelegate() and NFTBoostVault#delegate()) above, may not be increased for a long time. This means that the voting power of these userAddresses may not be multiplied for a long time until the NFTBoostVault#updateVotingPower() would be called.

Tools Used

  • Foundry

Within the NFTBoostVault#addNftAndDelegate() and the NFTBoostVault#delegate(), consider adding the NFTBoostVault#_syncVotingPower().

Assessed type

Other

#0 - c4-pre-sort

2023-07-30T15:59:40Z

141345 marked the issue as duplicate of #203

#1 - c4-pre-sort

2023-08-01T09:15:36Z

141345 marked the issue as duplicate of #431

#2 - c4-judge

2023-08-11T16:05:15Z

0xean marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter