veRWA - Kow's results

Lines of code

https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L384 https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L331 https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L288-L323 https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L268-L284

Vulnerability details

Vulnerability Details

In VotingEscrow.sol, users with locked CANTO may call the delegate function to transfer their voting power to one other user with an existing lock, transfer from their existing delegatee to another, or transfer back to themselves. A restriction on this action is that the end time of the new delegatee's lock must exceed the end time of the previous delegatee's lock.

The issue is anyone can increase their lock's end time by LOCKTIME (currently 5 years) with increaseAmount (or createLock for an expired and withdrawn lock) with as little as 1 CANTO (plus gas fees).

This means a malicious delegatee may call increaseAmount multiple times, forcing the votes' owner to call increaseAmount an equivalent number of times if they want to retrieve their delegated voting power. The end time on the owner's lock is forced upwards and they cannot withdraw their funds even if they were originally intending to undelegate for the purpose of withdrawal (since withdraw requires the lock's delegatee to be the lock's owner). The cost of this for the malicious delegatee depends on how much CANTO they have locked, or whether they can withdraw their lock (which DOES NOT return delegated votes) before griefing (after which they can call createLock and increaseAmount with trivial amounts).

Alternatively, the restriction ties the owner's lock time to their delegatee's since their lock's end time must be > their delegatee's lock end time, potentially resulting in the delegatee's unmalicious action to increase their personal lock amount forcing the owner to do so unintentionally.

Impact

The lock's owner is forced to increase their lock duration by griefing or by delegatee's actions on their personal lock, obstructing their ability to transfer voting power to another delegatee or withdrawing after their original lock duration is due and reducing control over their investment in CANTO governance.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider removing the mentioned require statement or modify it so that it depends on the owner's lock time as the owner of voting power should be able to freely transfer it regardless of the lock times of the delegatee.

Assessed type

Other