31483 - [SC - Critical] Users can vote multiple times in one epoch
Previous31481 - [SC - Critical] Undound FLUX accrual through reset and mergeNext31484 - [SC - High] Rewards for the first epoch at rewards distribu...
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on May 20th 2024 at 05:58:18 UTC by @MahdiKarimi for
Report ID: #31483
Report type: Smart Contract
Report severity: Critical
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol
Impacts:
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Theft of unclaimed yield
Users can mint unlimited flux by calling poke multiple times
The vote function at voter uses onlyNewEpoch modifier so users can vote only once per epoch and receive flux tokens, however, the poke function that applies voting in the last epoch to the current epoch doesn't use this modifier and user can call it multiple times in one epoch and receive unlimited flux also, every time _vote function is called in poke, it resets the last voting and calls deposit at the bribe which inflates total voting at bribe so distributed rewards to bribe would be lost ( total voting used to calculate amount of rewards has been distributed per token )
Minting unlimited flux tokens leads flux price to 0 ( Direct theft of any user funds, whether at rest or in motion, other than unclaimed yield ) , the flux token is used as a reward for users but it's an ERC20 and can be traded in markets ( has some utilities ) so minting unlimited flux affects all flux holders ( not just rewarded users ) and leads to the loss of their assets that's why I believe it's considered direct theft of user funds.
Loss of distributed rewards at underlying bribes
https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/Voter.sol#L195-L212