Last updated
Was this helpful?
Submitted on May 8th 2024 at 04:15:13 UTC by @marchev for
Report ID: #30918
Report type: Smart Contract
Report severity: Insight
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
As per the ERC721 specification, NFTs assigned to zero address are considered invalid, and ownerOf() queries about them must revert. However, the implementation of VotingEscrow#ownerOf() returns address(0) for such NFTs and not comply with that and thus makes veALCX not compliant with ERC721.
The states the following:
This means that every compliant ERC721 token must implement the ownerOf() function so that it throws if a _tokenId is passed that belongs to address(0). However, VotingEscrow's implementation looks like this:
For a non-existent _tokenId, this implementation will return address(0) instead of reverting. This behavior is not compliant with the ERC721 specification.
Due to the incorrect implementation of the ownerOf() function, the veALCX token does not conform to the ERC721 standard. This leads to problems with composability and interoperability. Other protocols that integrate with the veALCX token may malfunction since they expect standard behaviors the token does not support, potentially leading to operational disruptions.
Problematic implementation:
https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L230-L232
Docs references which state that ERC721 compliance is expected:
https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol#L16
https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/CONTRACTS.md
Add the following test to src/test/VotingEscrow.t.sol:
Make sure the following entries are updated in Makefile:
Run the PoC via make test_file_test
