30921 - [SC - Low] Referential assignment causes incorrect block i...
Submitted on May 8th 2024 at 07:08:16 UTC by @NinetyNineCrits for Boost | Alchemix
Report ID: #30921
Report type: Smart Contract
Report severity: Low
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
Description
Brief/Intro
Due to referential assignment of struct variables, the block interpolation is done incorrectly. Since the blocknumbers of that struct are currently not used this does not have a direct impact, beyond storing incorrect values (which may cause issues on future use)
Vulnerability Details
The VotingEscrow._checkpoint function does this assignment:
This behaves like references in other languages such as Java, where if you manipulate a property on either variables, you would change the data on the underlying instance and both variables would then use the new value. A minimal foundry test to showcase this:
The same thing happens in _checkpoint where lastPoint.ts is changed and initialLastPoint.ts then uses that value:
The term _time - initialLastPoint.ts will now always be 0 and lastPoint.blk always be calculated incorrectly (at least if _checkpoint has not been called for more than a week).
A POC that logs the resulting values:
This will log the following:
Note how the blk value only changes on the last iteration.
Impact Details
As mentioned in the intro for now the impact is limited to incorrect calculations and storage of the result. The blk field is currently not in use, but is referenced in the unused _findBlockEpoch method, which would be affected on future use.
Recommendation
Direct assignment doesnt copy, thats why Velodrome creates a new struct object explicitly:
References
None
Proof of Concept
Same test as in the description:
Last updated