Active Boosts

31397 - [SC - Critical] In Bribesol _writeVotingCheckpoint isnt called ...

Submitted on May 18th 2024 at 01:42:23 UTC by @Praise for Boost | Alchemix

Report ID: #31397

Report type: Smart Contract

Report severity: Critical

Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Bribe.sol

Impacts:

  • necessary updates aren't done

Description

Brief/Intro

in Bribe.sol, _writeVotingCheckpoint() isn't called to update votingCheckpoints and votingNumCheckpoints whenever votes are withdrawn or there's a reset

Vulnerability Details

In Bribe.deposit(), whenever votes are allocated to a given guage totalVoting is updated with the amount and _writeVotingCheckpoint() is called to update votingCheckpoints and votingNumCheckpoints.

   function deposit(uint256 amount, uint256 tokenId) external {
        require(msg.sender == voter);

        totalSupply += amount;
        balanceOf[tokenId] += amount;

        totalVoting += amount;

        _writeCheckpoint(tokenId, balanceOf[tokenId]);

        _writeSupplyCheckpoint();
        _writeVotingCheckpoint();

        emit Deposit(msg.sender, tokenId, amount);
    }

Now the issue lies in Bribe.withdraw() & Bribe.resetVoting(), where necessary updates aren't done.

  1. in Bribe.withdraw() whenever votes are withdrawn from a given guage, the withdrawn votes aren't deducted from totalVoting and _writeVotingCheckpoint() isn't called to update votingCheckpoints and votingNumCheckpoints

  1. In Bribe.resetVoting() when totalVoting is reset by making it 0, _writeVotingCheckpoint() isn't called to update votingCheckpoints and votingNumCheckpoints

So whenever Bribe.withdraw() / Bribe.resetVoting() is done, record of balance checkpoints for voting period is not updated.

Impact Details

  1. After Bribe.withdraw() is done, withdrawn votes doesn't reflect on totalVoting. This is wrong

  2. resetting of votes is never updated in votingCheckpoints and votingNumCheckpoints

Necessary updates aren't done after such trivial operations.

References

https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/Bribe.sol#L319

https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/Bribe.sol#L332

Proof of Concept

Previous31390 - [SC - High] Precision Loss in FluxTokensolgetClaimableFluxNext31399 - [SC - High] RewardDistributor claims can be DoSed through e...

Last updated

Was this helpful?