31425 - [SC - Medium] Users can call reset on their token even if the...
Previous31420 - [SC - Insight] No array lengths check in VotersolclaimBribesNext31430 - [SC - Insight] QA
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on May 18th 2024 at 23:01:57 UTC by @OxAlix2 for
Report ID: #31425
Report type: Smart Contract
Report severity: Medium
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Users can vote on certain gauges in the Voter contract, allowing them to "withdraw" their votes using the reset function, a note on this function, is that it sets lastVoted for that token ID. However, that function doesn't check if the token has active votes before allowing the user to reset them. This introduces an issue, especially when users move/transfer/sell their tokens, more below...
A bit of context, in VotingEscrow::_transferFrom, there's a check to block the transferring of tokens in case that token has active votes.
This is not there to block users from voting multiple times using the same token, as the vote is saved per token and not per owner. So, this is there to allow a token receiver to immediately have the ability to use that token and vote on gauges.
So a user can use the missing check anomaly to grief NFT buyers (remember tokens are NFTs and are tradable), so a user puts his token for sale, and just before the transferal that user front runs the transfer TX and calls Voter::reset, this blocks the buyer from voting on any gauge in the current epoch.
Users can grief token buyers/receivers and block them from voting in the current epoch.
https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol#L183-L192
Add the following in Voter::reset:
This could be added in if (msg.sender != admin) just in case the admin wanted a higher authority in case of an error.