31526 - [SC - Critical] A user is able to claim more bribes than they h...
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on May 21st 2024 at 02:09:30 UTC by @hulkvision for
Report ID: #31526
Report type: Smart Contract
Report severity: Critical
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Bribe.sol
Impacts:
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
A user is be able to claim more bribes than they have earned
A user is able to claim more bribes than they have earned by claiming bribes for epochs they have not voted in.
A user can claim bribes in next epoch for epochs they have voted in and once they have claimed bribes for the previous epoch they should not be able to claim bribes again without voting or poke.
The issue is when user claims the bribe reward for an epoch instead of balance of user getting reset, the balance of user remains unchanged and this allows user to claim bribe reward even for epochs they have not voted in.
In Bribe.sol
Steps for Attack
User A and User B(BlackHat) create two tokenId with same amount and maxLock enabled.
In Epoch 1 Both User A and User B(BlackHat) votes by calling vote
function in Voter.sol
thus becoming eligible for claiming bribes in epoch 2.
In Epoch 2 Both User A and User B claims bribe and only user A votes in epoch 2 so only User A should become eligible for claiming bribe in epoch 3 .
In Epoch 3 User B claims bribe by calling claimBribes
from Voter.sol
here user B should not be able to claim bribe in epoch 3 because user B has already claimed bribe for voting in Epoch 1 in Epoch 2 and did not voted again in Epoch 3 but user B was able to claim bribe because of the vulnerability.
One of the assumed invariant set by Team has been broken
A user should never be able to claim more bribes than they have earned
BlackHat can also prevent some users from claiming their share of bribe by calling claimBribes
before them and stealing their share of bribes.
https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/Bribe.sol#L283-300
Add this test to src/test/Voting.t.sol
and run with forge test --mt testPOCVoteOnceAndClaimBribes() --rpc-url $RPC_URL -vvvv