Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 57/125
Findings: 1
Award: $15.83
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: ADM
Also found by: 0xDING99YA, 3docSec, BenRai, Jorgect, Kow, MrPotatoMagic, QiuhaoLi, RandomUser, SpicyMeatball, Tendency, Topmark, Watermelon, Yanchuan, Yuki, bart1e, cducrest, kaden, lsaudit, nemveer, nonseodion
15.8333 USDC - $15.83
https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L331 https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L384 https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L301
Function VotingEscrow::withdraw() in line 331 requires that sender should be his own delegatee, but when user alerady delegated his funds to someone he has to call function VotingEscrow::delegate() with user's address as argument in order to set variable "delegatee" to his address. Then line 384 in that function ensures that new deletatee's lock ends later than former's delegatee. User also can augment his lock time for 5 years in any minute thanks to VotingEscrow::increaseAmount() function. Thanks to that condition Malicous delegatee can block withdrawals of all user that decided to delegate to him by calling function Voting::increaseAmount() thereby increasing his LockedBalance::lock time and making it higher than users LockedBalance::lock time. This will prevent them from changing delegatee which is necessary to withdraw they CANTO
Consider the following scenario :
1 - User A creates a lock VotingEscrow::createLock() with huge amount of CANTO, 2 - Then delegates VotingEscrow::delegate() that amount to malicious user B, 3 - User B deliberately calls VotingEscrow::increaseAmount() near the end of the user's 1 lock in order to increase his end time to maximum,
Now user A can't change LockedBalance::delegatee to himself in order to withdraw his CANTO becasuse his LockedBalance::end is lower than user's B; So the only way of user A to withdraw his CANTO is to extend his lock and change delegatee; But because of that he loses his liqudity for another 5 years;
Manual Review
Consider change line 384 in VoteEscrow to the following condition:
if (_addr != msg.sender) { require(toLocked.end >= fromLocked.end, "Only delegate to longer lock"); }
Invalid Validation
#0 - c4-pre-sort
2023-08-13T04:56:58Z
141345 marked the issue as duplicate of #116
#1 - c4-pre-sort
2023-08-13T14:35:07Z
141345 marked the issue as duplicate of #82
#2 - c4-judge
2023-08-24T07:20:39Z
alcueca changed the severity to 2 (Med Risk)
#3 - c4-judge
2023-08-24T07:28:01Z
alcueca marked the issue as partial-50
#4 - c4-pre-sort
2023-08-24T08:21:45Z
141345 marked the issue as not a duplicate
#5 - c4-pre-sort
2023-08-24T08:24:12Z
141345 marked the issue as duplicate of #375
#6 - c4-judge
2023-08-24T21:11:34Z
alcueca marked the issue as partial-50
#7 - c4-judge
2023-08-29T06:37:07Z
alcueca marked the issue as duplicate of #182
#8 - c4-judge
2023-08-29T06:37:35Z
alcueca changed the severity to 3 (High Risk)