veRWA - seerether's results

Lines of code

https://github.com/code-423n4/2023-08-verwa/blob/9a2e7be003bc1a77b3b87db31f3d5a1bcb48ed32/src/VotingEscrow.sol#L366 https://github.com/code-423n4/2023-08-verwa/blob/9a2e7be003bc1a77b3b87db31f3d5a1bcb48ed32/src/VotingEscrow.sol#L398 https://github.com/code-423n4/2023-08-verwa/blob/9a2e7be003bc1a77b3b87db31f3d5a1bcb48ed32/src/VotingEscrow.sol#L331

Vulnerability details

Impact

• User A will not be able to withdraw their tokens even after their lock expires if the delegatee (User B) has -withdrawn their lock.

• User A is essentially "orphaned" - their delegatee withdrew so they have no voting power, but their lock still shows a delegation.

Proof of Concept

User A will not be able to withdraw their tokens even after their lock expires if the delegatee (User B) has withdrawn their lock.

The key parts of the code that lead to this are:

In delegate() - This updates the delegatee address on User A's lock struct to User B : https://github.com/code-423n4/2023-08-verwa/blob/9a2e7be003bc1a77b3b87db31f3d5a1bcb48ed32/src/VotingEscrow.sol#L366

And in _delegate() - This subtracts the delegated amount from User B's lock struct when User B withdraws: https://github.com/code-423n4/2023-08-verwa/blob/9a2e7be003bc1a77b3b87db31f3d5a1bcb48ed32/src/VotingEscrow.sol#L398

However, there is no code that resets User A's delegatee address back to their own address when User B withdraws. So the sequence would be:

1. User A delegates to User B
2. User B withdraws their lock
3. User A's lock expires but delegatee is still set to User B
4. User A tries to withdraw but it reverts due to require(locked_.delegatee == msg.sender, "Lock delegated"); in https://github.com/code-423n4/2023-08-verwa/blob/9a2e7be003bc1a77b3b87db31f3d5a1bcb48ed32/src/VotingEscrow.sol#L331

Tools Used

Manual

Recommended Mitigation Steps

reset the delegator's delegatee address to their own address when the delegatee withdraws their lock

Assessed type

Other