Back to tabish's contests

FIAT DAO veFDT contest - tabish's results

Unlock liquidity for your DeFi fixed income assets.

General Information

Platform: Code4rena

Start Date: 12/08/2022

Pot Size: $35,000 USDC

Total HM: 10

Participants: 126

Period: 3 days

Judge: Justin Goro

Total Solo HM: 3

Id: 154

League: ETH

FIAT DAO

Findings Distribution

Researcher Performance

Rank: 38/126

Findings: 1

Award: $77.72

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFIAT DAO

Findings Information

🌟 Selected for report: Aymen0909

Also found by: 0xSky, 0xf15ers, CertoraInc, JohnSmith, auditor0517, bin2chen, csanuragjain, scaraven, tabish, wagmi, yixxas

Labels

bug
duplicate
2 (Med Risk)

Awards

77.7206 USDC - $77.72

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L513

Vulnerability details

Impact

Detailed description of the impact of this finding.

oldLocked and locked_ are basically same as oldLocked is a copy of locked_ LockedBalance memory oldLocked = _copyLock(locked_); and then oldLocked.end is being assigned the new unlock time unlock_time oldLocked.end = unlock_time;, which results in no change. These are being passed into _checkpoint(msg.sender, oldLocked, locked_); which results in incorrect checkpoint math.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

locked_ is being assigned unlock_time here https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L507 and when locked_.delegatee == msg.sender, oldLocked is created as a copy of locked_ here https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L512 but instead of assigning oldUnlockTime, unlock_time which is the new unlock end timestamp is being assigned to oldLocked.end here https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L513 making oldLocked and locked_.

As oldLocked and locked_ being same are passed into _checkpoint(msg.sender, oldLocked, locked_); here https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L514 it results in incorrect calculations of userOldPoint.bias and pointHistory in lines https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L240 , https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L372

Tools Used

Manual Review

set oldLocked to old unlock time

oldLocked.end = oldUnlockTime;

#0 - lacoop6tu

2022-08-16T10:17:16Z

Duplicate of #217

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter