# 30683 - \[SC - Critical] User can increase their unclaimed Flux token wi... Submitted on May 4th 2024 at 11:47:30 UTC by @jecikpo for [Boost | Alchemix](https://immunefi.com/bounty/alchemix-boost/) Report ID: #30683 Report type: Smart Contract Report severity: Critical Target: Impacts: * unbound minting of token * Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results ## Description ## Brief/Intro A user can increase their unclaimed Flux token amount by the abuse of `VotedEscrow.merge()` and `Voter.reset()`. ## Vulnerability Details The `Voter.reset()` function calls `FluxToken.accrueFlux(_tokenId)` which increases the `unclaimed[_tokenId]` balance according the `_tokenId` voting power. The `Voter.reset()` function can be called only once per epoch due to the `onlyNewEpoch(_tokenId)` modifier preventing the user from accruing excess unclaimed Flux. This however can be abused if the voting power of a token is transferred to a new `tokenId` using `VotedEscrow.merge()`. After calling `VotedEscrow.merge()` the voting power shall be transfered to a new token and the `Voter.reset()` can be called again on the new `tokenId` within the same epoch. ## Impact Details The impact is that the user can accrue potentially unlimited amount of unclaimed Flux. The unclaimed Flux could be used to execute unfair voting by increasing the user's voting power. It could also be claimed and sold on the open market to suppress the Flux price which will allow other users to unlock their veALCX tokens at lower prices hence destroying the entire voting system credibility. ## References ## Proof of Concept Add to the `VotingEscrow.t.sol` the following code: ```solidity function testAbuseResetFlux() public { hevm.startPrank(admin); uint256 tokenIdLarge = veALCX.createLock(TOKEN_100K, THREE_WEEKS, false); uint256 tokenIdSmall = veALCX.createLock(TOKEN_1, THREE_WEEKS, false); voter.reset(tokenIdLarge); console.log("Unclaimed Flux on tokenIdLarge: %d", flux.unclaimedFlux(tokenIdLarge)); veALCX.merge(tokenIdLarge, tokenIdSmall); voter.reset(tokenIdSmall); // we can see that the user amassed double of the unclaimedFlux during single epoch, this pattern could be repeated with more smaller vALCX locks console.log("Unclaimed Flux on tokenIdSmall: %d", flux.unclaimedFlux(tokenIdSmall)); hevm.stopPrank(); } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/alchemix/30683-sc-critical-user-can-increase-their-unclaimed-flux-token-wi....md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.