Platform: Code4rena
Start Date: 22/05/2024
Pot Size: $20,000 USDC
Total HM: 6
Participants: 126
Period: 5 days
Judge: 0xsomeone
Total Solo HM: 1
Id: 379
League: ETH
Rank: 71/126
Findings: 1
Award: $0.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Circolors
Also found by: 0rpse, 0x175, 0xAadi, 0xHash, 0xMax1mus, 0xMosh, 0xblack_bird, 0xdice91, 0xfox, 0xhacksmithh, 0xloscar01, 0xrex, 4rdiii, Audinarey, AvantGard, Bigsam, DPS, Dots, Drynooo, Dudex_2004, Evo, Kaysoft, King_, Limbooo, MrPotatoMagic, PENGUN, Sabit, SovaSlava, SpicyMeatball, TheFabled, Utsav, Varun_05, Walter, adam-idarrha, araj, aslanbek, ayden, bctester, biakia, bigtone, brgltd, carrotsmuggler, cats, crypticdefense, dd0x7e8, dhank, fandonov, fyamf, grearlake, iamandreiski, ilchovski, jasonxiale, joaovwfreire, lanrebayode77, m4ttm, merlinboii, niser93, nnez, octeezy, oxchsyston, pamprikrumplikas, rouhsamad, tedox, trachev, turvy_fuzz, twcctop, yotov721, zhaojohnson
0.0056 USDC - $0.01
Any user can increase the lock time of an account on a token specific basis by locking a small amount of that token.
Tokens can either be locked with lock or with lockOnBehalf, which allows an account to lock tokens on behalf of any account, calling the private _lock function. Unlock time is tracked per token per account, and locking any amount of tokens for an account will increase their unlockTime.
In the _lock function, used by lock and lockOnBehalf
lockedToken.unlockTime = uint32(block.timestamp) + uint32(_lockDuration);
This can be used to delay the unlock time for a user longer than expected, potentially causing a DOS on unlocking tokens should a malicious user decide to abuse this.
Manual review
Only allow account approved operators to lock on behalf of their account.
DoS
#0 - c4-judge
2024-06-05T12:58:55Z
alex-ppg marked the issue as satisfactory