Platform: Code4rena
Start Date: 07/08/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 125
Period: 3 days
Judge: alcueca
Total Solo HM: 4
Id: 274
League: ETH
Rank: 44/125
Findings: 2
Award: $37.43
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: ltyu
Also found by: 0xDING99YA, 3docSec, KmanOfficial, MrPotatoMagic, RED-LOTUS-REACH, Tendency, Yuki, bart1e, bin2chen, carrotsmuggler, cducrest, kaden, mert_eren, pep7siup, popular00, qpzm, seerether, zhaojie
21.6049 USDC - $21.60
VotingEscrow::delegate function is used by users to delegate voting power to other users. Due to this check in VotingEscrow::delegate function https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L384
require(toLocked.end > block.timestamp, "Delegatee lock expired");
If a user has prior delegated voting power to another user, and fails to undelegate before his lock ends/expires, undelegating will become impossible, thereby losing all locked funds.
Attempts at withdrawing will fail due to this check in VotingEscrow::withdraw function https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L331
require(locked_.delegatee == msg.sender, "Lock delegated");
Manual Review
Special privileges should be given to users when they are undelegating. i.e. When input addr == msg.sender go on to undelegate without further checks
Other
#0 - c4-pre-sort
2023-08-11T11:56:13Z
141345 marked the issue as duplicate of #223
#1 - c4-pre-sort
2023-08-13T12:00:39Z
141345 marked the issue as duplicate of #112
#2 - 141345
2023-08-14T07:46:30Z
Cannot undelegate if delegatee expire (line 384). Not exactly the same as the dups (delegator/owner expire, line 383). But the root reason is similar, so combine.
#3 - c4-judge
2023-08-24T07:16:04Z
alcueca marked the issue as duplicate of #82
#4 - c4-judge
2023-08-24T07:20:31Z
alcueca changed the severity to 3 (High Risk)
#5 - c4-judge
2023-08-24T07:20:40Z
alcueca changed the severity to 2 (Med Risk)
#6 - c4-judge
2023-08-24T07:35:36Z
alcueca marked the issue as partial-50
#7 - c4-pre-sort
2023-08-24T08:19:51Z
141345 marked the issue as not a duplicate
#8 - c4-pre-sort
2023-08-24T08:20:26Z
141345 marked the issue as not a duplicate
#9 - c4-pre-sort
2023-08-24T08:20:51Z
141345 marked the issue as primary issue
#10 - c4-judge
2023-08-24T21:16:47Z
alcueca marked the issue as partial-50
#11 - c4-judge
2023-08-25T06:04:27Z
alcueca marked issue #268 as primary and marked this issue as a duplicate of 268
#12 - c4-judge
2023-08-26T21:24:29Z
alcueca changed the severity to 3 (High Risk)
🌟 Selected for report: ADM
Also found by: 0xDING99YA, 3docSec, BenRai, Jorgect, Kow, MrPotatoMagic, QiuhaoLi, RandomUser, SpicyMeatball, Tendency, Topmark, Watermelon, Yanchuan, Yuki, bart1e, cducrest, kaden, lsaudit, nemveer, nonseodion
15.8333 USDC - $15.83
VotingEscrow::delegate function is used by users to delegate voting power to other users. Currently, users can only delegate to other users whose lock end is ahead of theirs, this works fine for most cases. https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L384
The problem here is, when a user delegates to another user whose lock end is ahead of theirs, there is no way for the user to undelegate, except the user calls VotingEscrow::increaseAmount to increase his delegate value, which in turn resets the user lock end. With the user's lock end now being ahead of the delegatee's lock end, the user gains the ability to undelegate back to themselves, but in a scenario where the delegatee becomes malicious, by front running the user transaction, the delegatee can update their lock time by calling increaseAmount function, making it impossible for the user to undelegate(i.e. set delegatee back to itself).
Note: If a user can't undelegate back to themselves, before the lock ends, withdrawal will become impossible https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L331
require(locked_.delegatee == msg.sender, "Lock delegated");
To wrap up: When a user delegates vote to another user, beside the difficulty in undelegating, the user loses years of waiting whenever they delegate, they will have to start 5 years all over again when they become the delegatee. This will potentially drive users away from using this feature
Manual Review
Special privileges should be given to users when they are undelegating. i.e. When input addr == msg.sender go on to undelegate without further checks
Other
#0 - c4-pre-sort
2023-08-11T11:57:08Z
141345 marked the issue as duplicate of #223
#1 - c4-pre-sort
2023-08-13T11:41:20Z
141345 marked the issue as not a duplicate
#2 - c4-pre-sort
2023-08-13T11:58:17Z
141345 marked the issue as duplicate of #178
#3 - c4-pre-sort
2023-08-14T09:51:40Z
141345 marked the issue as not a duplicate
#4 - c4-pre-sort
2023-08-14T09:52:06Z
141345 marked the issue as duplicate of #82
#5 - c4-judge
2023-08-24T07:20:31Z
alcueca changed the severity to 3 (High Risk)
#6 - c4-judge
2023-08-24T07:20:40Z
alcueca changed the severity to 2 (Med Risk)
#7 - c4-judge
2023-08-24T07:37:12Z
alcueca marked the issue as partial-50
#8 - c4-pre-sort
2023-08-24T08:21:43Z
141345 marked the issue as not a duplicate
#9 - c4-pre-sort
2023-08-24T08:23:59Z
141345 marked the issue as duplicate of #375
#10 - c4-judge
2023-08-24T21:11:05Z
alcueca marked the issue as partial-50
#11 - c4-judge
2023-08-29T06:37:02Z
alcueca marked the issue as duplicate of #182
#12 - c4-judge
2023-08-29T06:37:36Z
alcueca changed the severity to 3 (High Risk)