377 function claimableFlux(uint256 _tokenId) public view returns (uint256) {
378 // If the lock is expired, no flux is claimable at the current epoch
379 if (block.timestamp > locked[_tokenId].end) {
380 return 0;
381 }
382
383 // Amount of flux claimable is <fluxPerVeALCX> percent of the balance
384 return (_balanceOfTokenAt(_tokenId, block.timestamp) * fluxPerVeALCX) / BPS;
385 }
As we can see above, claimableFlux only calcuate the tokenId's voting power, it doesn't record if the Flux has been claimed already. So if a malicious user keep calling Voter.poke, his tokenId's unclaimedFlux will keeping increasing.
Impact Details
Malicious user can steal FLUX token by abusing Voter.poke
References
Add any relevant links to documentation or code
Proof of Concept
Put the following code in src/test/Voting.t.sol and run
FOUNDRY_PROFILE=default forge test --fork-url https://eth-mainnet.alchemyapi.io/v2/0TbY2mhyGA4gLPShfh-PwBlQ3PDNUdL1 --fork-block-number 17133822 --mc VotingTest --mt testAlicePoke -vv
[⠊] Compiling...
No files changed, compilation skipped
Ran 1 test for src/test/Voting.t.sol:VotingTest
[PASS] testAlicePoke() (gas: 2564522)
Logs:
getUnclaimedFlux: 1879449739964023604
getUnclaimedFlux: 2799996511899518614
getUnclaimedFlux: 3720543283835013624
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 5.59ms (1.90ms CPU time)
Ran 1 test suite in 1.29s (5.59ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)
As we can see from the above output, every time Alice calls Voter.poke, her unclaimed Flux will increase.
