Platform: Code4rena
Start Date: 13/12/2023
Pot Size: $36,500 USDC
Total HM: 18
Participants: 110
Period: 8 days
Judge: 0xTheC0der
Id: 311
League: ETH
Rank: 21/110
Findings: 2
Award: $304.35
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: bart1e
Also found by: 0xDING99YA, BowTiedOriole, Ward
296.992 USDC - $296.99
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/base/VotesUpgradeable.sol#L206-L213 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/NontransferableERC20Votes.sol#L29 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/base/erc20/ERC20VotesUpgradeable.sol#L24
As stated in the comment on line 12 of NontransferableERC20Votes.sol, delegation of vote power can be done through the delegate function or by providing a signature to be used with delegateBySig. However, these functions do not prevent users from delegating to address(0), leading users to permanently lose their voting power, intentionally or accidentally.
A test demonstrating that delegation to address(0) is possible and indeed results in the loss of voting power. You can paste this into NontransferableERC20.t.sol. Also see: Issue in Nouns Builder repo for the same bug https://github.com/code-423n4/2022-09-nouns-builder-findings/issues/203
function testVotingAndDelegationToAddress0() public { address delegate = address(0); uint256 mintAmount = 1000 * 1e18; // Mint tokens to the owner vm.startPrank(address(erc20TokenEmitter)); erc20Token.mint(address(this), mintAmount); vm.stopPrank(); // Delegate voting power erc20Token.delegate(delegate); // @bug Voting power is lost. assertEq(erc20Token.getVotes(delegate), 0); // Ensure that no tokens were transferred in the process of delegation assertEq(erc20Token.balanceOf(delegate), 0, "Delegation should not transfer tokens"); }
Manual Review
Don't allow delegation to address(0) by adding checks to both delegate and delegateBySig functions as the following:
require(delegatee != address(0), "Votes: delegate to the zero address");
Context
#0 - c4-pre-sort
2023-12-23T01:38:11Z
raymondfam marked the issue as duplicate of #49
#1 - c4-pre-sort
2023-12-23T01:38:15Z
raymondfam marked the issue as insufficient quality report
#2 - c4-judge
2024-01-06T23:29:03Z
MarioPoneder marked the issue as unsatisfactory: Out of scope
#3 - c4-judge
2024-01-10T19:57:21Z
MarioPoneder changed the severity to 3 (High Risk)
#4 - c4-judge
2024-01-10T19:57:41Z
MarioPoneder marked the issue as partial-25
🌟 Selected for report: 0xmystery
Also found by: 00xSEV, 0xCiphky, 0xDING99YA, 0xhitman, ABAIKUNANBAEV, Aamir, BARW, IllIllI, King_, MrPotatoMagic, Pechenite, SovaSlava, SpicyMeatball, Topmark, Ward, ZanyBonzy, ast3ros, bart1e, cheatc0d3, deth, developerjordy, hals, imare, kaveyjoe, ktg, leegh, osmanozdemir1, peanuts, roland, rvierdiiev, shaka, sivanesh_808, spacelord47
7.359 USDC - $7.36
Without ensuring the sequencer's uptime or validating the transaction order, there's a risk of transaction reordering and delay of the settlement of auctions. This could allow someone to manipulate the order in which bids are placed or settled. For instance an attacker could potentially front-run bids, impacting the fairness and outcome of the auction. Also see: https://github.com/sherlock-audit/2023-06-Index-judging/issues/40, lack of sequencer uptime may negatively impact English Auctions as I have described, as well as Dutch auctions.
Manual Review
Determine the maximum tolerable delay for the sequencer and invalidate the auction if the sequencer was down for maximum tolerable delay or more during the auction period.
Other
#0 - c4-pre-sort
2023-12-23T03:58:48Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2023-12-23T03:58:52Z
raymondfam marked the issue as primary issue
#2 - raymondfam
2023-12-23T03:59:04Z
QA low.
#3 - c4-judge
2024-01-06T19:14:35Z
MarioPoneder changed the severity to QA (Quality Assurance)
#4 - c4-judge
2024-01-07T15:50:12Z
MarioPoneder marked the issue as grade-b