Arcade.xyz - BenRai's results

Lines of code

https://github.com/code-423n4/2023-07-arcade/blob/f8ac4e7c4fdea559b73d9dd5606f618d4e6c73cd/contracts/NFTBoostVault.sol#L342-L349

Vulnerability details

Impact

After updating the multiplier of an NFT ID all delegates have the old votes base on the old multiplier as long as the user who uses this NFT ID does not call any function that triggers _syncVotingPower. Even though the function updateVotingPower can be called by anybody to update anybody’s voting power, there is no feasible way to determine whose voting power needs to be updated after changing the multiplier of an NFT ID. This can lead to old voting power multiplications making the votes of a delegate to high (if the factor was lowered) or to low (if the factor was increased). This makes governance voting skewed.

Proof of Concept

Example: Alice deposits 100 tokens using the NFT ID 1. When she deposits the multiplier of the ID is 1.5 giving her 100 * 1.5 = 150 votes. Now the voting power of the NFT ID 1 is changed to 1.

Bob deposits 100 tokens also using the NFT ID 1. He now has 100 * 1 = 100 votes even though both use the same NFT and deposit the same token.

There is no easy way to find out that Alice uses the NFT with the ID 1 and updateVotingPower for her. As long as she does not trigger _syncVotingPower she will have more votes than Bob.

Tools Used

Manual review

Recommended Mitigation Steps

Add a mapping of token ID to array of addresses that use this token ID. This way, when changing multiplier of an NFT ID it is easy to know for which addresses the voting power needs to be adjusted.

Assessed type

Other