Incorrect accounting of totalVoting leads to permanent freeze of funds in Bribe contract and incorrect bribe distribution.
Vulnerability Details
In Voter.sol In an epoch user can vote by calling vote function or poke by calling poke function if user has already voted in that epoch or previous epoch. User is also allowed to call poke function multiple times in an epoch, calling poke function multiple times does not changes the vote and does not inflate voting power. When vote or poke is called in an epoch, user becomes eligible for claiming bribes in next epoch. When user calls vote or poke function two external calls are made to bribe contract withdraw and deposit functions respectively . when voting power is zero call to withdraw function is skipped.
The issue is when poke is called by a user multiple times totalVoting is inflated which causes incorrect calculation of bribe reward for all the participating users.
The POC steps are as follows
User A and User B(BlackHat) create two token with same amount and maxLock enabled.
In Epoch 1 user A votes in Voter.sol contract by calling vote function .
User B (BlackHat) votes in Voter.sol contract by calling vote function
User B calls poke function multiple times from Voter.sol contract and inflating totalVoting variable of Bribe contract.
Epoch 2 starts and now both user claims their bribes but because of BlackHat both user gets incorrect bribes less than what they should have gotten , they should have received half of total token balance of Bribe contract each.
The bribe contract is left with remaining token balance which cannot be claimed later.
Impact Details
The vulnerability leads to incorrect bribe distribution , all voter receives less bribe reward than they should have received.
The remaining bribe reward is forever locked in the bribe contract.
Funds are lost for protocol and participating users.