30921 - [SC - Low] Referential assignment causes incorrect block i...

Submitted on May 8th 2024 at 07:08:16 UTC by @NinetyNineCrits for Boost | Alchemix

Report ID: #30921

Report type: Smart Contract

Report severity: Low

Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol

Impacts:

• Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

Due to referential assignment of struct variables, the block interpolation is done incorrectly. Since the blocknumbers of that struct are currently not used this does not have a direct impact, beyond storing incorrect values (which may cause issues on future use)

Vulnerability Details

The VotingEscrow._checkpoint function does this assignment:

Point memory initialLastPoint = lastPoint;

This behaves like references in other languages such as Java, where if you manipulate a property on either variables, you would change the data on the underlying instance and both variables would then use the new value. A minimal foundry test to showcase this:

The same thing happens in _checkpoint where lastPoint.ts is changed and initialLastPoint.ts then uses that value:

The term _time - initialLastPoint.ts will now always be 0 and lastPoint.blk always be calculated incorrectly (at least if _checkpoint has not been called for more than a week).

A POC that logs the resulting values:

This will log the following:

Note how the blk value only changes on the last iteration.

Impact Details

As mentioned in the intro for now the impact is limited to incorrect calculations and storage of the result. The blk field is currently not in use, but is referenced in the unused _findBlockEpoch method, which would be affected on future use.

Recommendation

Direct assignment doesnt copy, thats why Velodrome creates a new struct object explicitly:

References

None

Proof of Concept

Same test as in the description: