30683 - [SC - Critical] User can increase their unclaimed Flux token wi...
Submitted on May 4th 2024 at 11:47:30 UTC by @jecikpo for Boost | Alchemix
Report ID: #30683
Report type: Smart Contract
Report severity: Critical
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol
Impacts:
unbound minting of token
Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
Description
Brief/Intro
A user can increase their unclaimed Flux token amount by the abuse of VotedEscrow.merge() and Voter.reset().
Vulnerability Details
The Voter.reset() function calls FluxToken.accrueFlux(_tokenId) which increases the unclaimed[_tokenId] balance according the _tokenId voting power. The Voter.reset() function can be called only once per epoch due to the onlyNewEpoch(_tokenId) modifier preventing the user from accruing excess unclaimed Flux. This however can be abused if the voting power of a token is transferred to a new tokenId using VotedEscrow.merge().
After calling VotedEscrow.merge() the voting power shall be transfered to a new token and the Voter.reset() can be called again on the new tokenId within the same epoch.
Impact Details
The impact is that the user can accrue potentially unlimited amount of unclaimed Flux. The unclaimed Flux could be used to execute unfair voting by increasing the user's voting power. It could also be claimed and sold on the open market to suppress the Flux price which will allow other users to unlock their veALCX tokens at lower prices hence destroying the entire voting system credibility.
References
https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L618
Proof of Concept
Add to the VotingEscrow.t.sol the following code:
Last updated