Bribe@getRewardForOwner writes the same checkpoint in a loop
Issue Description
When multiple tokens are claimed, the same check point (same balance, same timestamp) will be written multiple times (up to the number of claimed tokens).
Rewards will be lost for a token if it's merged before claiming them
Issue Description
VotingEscrow@merge doesn't claim rewards from RewardsDistributor for the merged token before burning it. This makes it impossible to claim the rewards if it wasn't done before merging since the approval check will fail.
function merge(uint256 _from, uint256 _to) external {
require(!voted[_from], "voting in progress for token");
require(_from != _to, "must be different tokens");
require(_isApprovedOrOwner(msg.sender, _from), "not approved or owner");
require(_isApprovedOrOwner(msg.sender, _to), "not approved or owner");
LockedBalance memory _locked0 = locked[_from];
LockedBalance memory _locked1 = locked[_to];
// Cannot merge if cooldown is active or lock is expired
require(_locked0.cooldown == 0, "Cannot merge when cooldown period in progress");
require(_locked1.cooldown == 0, "Cannot merge when cooldown period in progress");
require(_locked0.end > block.timestamp, "Cannot merge when lock expired");
require(_locked1.end > block.timestamp, "Cannot merge when lock expired");
uint256 value0 = uint256(_locked0.amount);
// If max lock is enabled retain the max lock
_locked1.maxLockEnabled = _locked0.maxLockEnabled ? _locked0.maxLockEnabled : _locked1.maxLockEnabled;
IFluxToken(FLUX).mergeFlux(_from, _to);
// If max lock is enabled end is the max lock time, otherwise it is the greater of the two end times
uint256 end = _locked1.maxLockEnabled
? ((block.timestamp + MAXTIME) / WEEK) * WEEK
: _locked0.end >= _locked1.end
? _locked0.end
: _locked1.end;
locked[_from] = LockedBalance(0, 0, false, 0);
_checkpoint(_from, _locked0, LockedBalance(0, 0, false, 0));
_burn(_from, value0);
_depositFor(_to, value0, end, _locked1.maxLockEnabled, _locked1, DepositType.MERGE_TYPE);
}
function claim(uint256 _tokenId, bool _compound) external payable nonReentrant returns (uint256) {
if (!_compound) {
require(msg.value == 0, "Value must be 0 if not compounding");
}
bool approvedOrOwner = IVotingEscrow(votingEscrow).isApprovedOrOwner(msg.sender, _tokenId);
bool isVotingEscrow = msg.sender == votingEscrow;
require(approvedOrOwner || isVotingEscrow, "not approved"); // <==== Audit
// ...
}
Voter@pokeTokens will fail when the poked token lock is expired
Issue Description
It will fail at the reset step if the token already voted in the current epoch, either normally or by the owner front running the pokeTokens transaction with a reset.
It will fail at the poke (poke -> vote) step because the voting power of the token will be 0.
function pokeTokens(uint256[] memory _tokenIds) external {
// ...
for (uint256 i = 0; i < _tokenIds.length; i++) {
uint256 _tokenId = _tokenIds[i];
// If the token has expired, reset it
if (block.timestamp > IVotingEscrow(veALCX).lockEnd(_tokenId)) {
reset(_tokenId); // <==== Audit
}
poke(_tokenId); // <==== Audit
}
}
function poke(uint256 _tokenId) public {
// Previous boost will be taken into account with weights being pulled from the votes mapping
uint256 _boost = 0;
// ...
_vote(_tokenId, _poolVote, _weights, _boost); // <==== Audit
}
function reset(uint256 _tokenId) public onlyNewEpoch(_tokenId) { // <==== Audit
}
function _vote(uint256 _tokenId, address[] memory _poolVote, uint256[] memory _weights, uint256 _boost) internal {
// ...
uint256 totalPower = (IVotingEscrow(veALCX).balanceOfToken(_tokenId) + _boost); // <==== Audit
for (uint256 i = 0; i < _poolCnt; i++) {
// ...
uint256 _poolWeight = (_weights[i] * totalPower) / _totalVoteWeight; // <==== Audit
require(votes[_tokenId][_pool] == 0, "already voted for pool");
require(_poolWeight != 0, "cannot vote with zero weight"); // <==== Audit
// ...
}
}
Boost is not carried over in Voter when poking
Issue Description
The following comment in the Voter@poke function suggests that boosts is carried over when poking :
// Previous boost will be taken into account with weights being pulled from the votes mapping
However this is not the case.
For example, a user votes on a single pool with a weight of X using a token which has a voting power of Y and uses a boost of Z :
_totalVoteWeight will be equal to X
totalPower will be equal to Y + Z
_poolWeight will be equal to X * (Y + Z) / X = Y + Z
Now the user pokes using that same token :
_totalVoteWeight will be equal to Y + Z
totalPower will be equal to Y + 0 = Y
_poolWeight will be equal to (Y + Z) * (Y) / (Y + Z) = Y
The weights stay proportional to the initial vote weights but the boost is lost.
function poke(uint256 _tokenId) public {
// Previous boost will be taken into account with weights being pulled from the votes mapping
uint256 _boost = 0;
// ...
address[] memory _poolVote = poolVote[_tokenId];
uint256 _poolCnt = _poolVote.length;
uint256[] memory _weights = new uint256[](_poolCnt);
for (uint256 i = 0; i < _poolCnt; i++) {
_weights[i] = votes[_tokenId][_poolVote[i]];
}
_vote(_tokenId, _poolVote, _weights, _boost); // <==== Audit
}
function _vote(uint256 _tokenId, address[] memory _poolVote, uint256[] memory _weights, uint256 _boost) internal {
_reset(_tokenId);
uint256 _poolCnt = _poolVote.length;
uint256 _totalVoteWeight = 0;
uint256 _totalWeight = 0;
for (uint256 i = 0; i < _poolCnt; i++) {
_totalVoteWeight += _weights[i]; // <==== Audit
}
IFluxToken(FLUX).accrueFlux(_tokenId);
uint256 totalPower = (IVotingEscrow(veALCX).balanceOfToken(_tokenId) + _boost); // <==== Audit
for (uint256 i = 0; i < _poolCnt; i++) {
address _pool = _poolVote[i];
address _gauge = gauges[_pool];
require(isAlive[_gauge], "cannot vote for dead gauge");
uint256 _poolWeight = (_weights[i] * totalPower) / _totalVoteWeight; // <==== Audit
// ...
votes[_tokenId][_pool] += _poolWeight;
// ...
}
// ...
}
There is no link between the Minter and Voter epochs
Issue Description
There is no link between the Minter and Voter epochs even if they share the same duration.
This means that voters can vote as soon as possible even before a distribution.
In this case, total votes will be reset to 0 in bribes discarding previous voters and leading to the rewards being split based on future voters but still be distributed to all of them. Not all of them will able to claim though (fewer voters are accounted for mean more rewards per voter).
The proposer threshold (amount needed to be able to create a proposal) is checked at the proposal creation time based on the veALCX balance of the creator and the veALCX total supply at that time :
This would allow to create a proposal with 0 voting power as the proposal threshold is initially 0 when veALCX total voting power is still 0 (or decays to 0). This may also lead to easily pass a proposal depending on the veALCX voting power created up to the start of the voting period.
Reentrancy guard modifier is named differently across different contracts
