31298 - [SC - Medium] Anyone can let users delegates reach the upper ...
Previous31295 - [SC - High] Newly created gauge may missed out on its rewardsNext31309 - [SC - Critical] slippage protection is inaccurate
Last updated
Last updated
Submitted on May 16th 2024 at 19:24:04 UTC by @yttriumzz for
Report ID: #31298
Report type: Smart Contract
Report severity: Medium
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol
Impacts:
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Each user in the VotingEscrow contract has a maximum number of delegate $veToken. Any user can delegate his $veToken to other users. An attacker can exploit this to let user's delegate to reach the upper limit.
This bug involves createLock operation
and delegate operation
In other words, an attacker can use this bug to DOS createLock and delegate operations of user.
Suggested fix
It is recommended that user can set the minimum number of individual delegates to prevent dust attacks
An attacker can make the user no longer able to be delegated and mint $veToken. Causes users to be DOSed and may affect governance voting.
None
The PoC patch
Run the PoC
The log