Last updated
Was this helpful?
Submitted on May 21st 2024 at 04:49:19 UTC by @jecikpo for
Report ID: #31544
Report type: Smart Contract
Report severity: High
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
Temporary freezing of funds for 12 hours
When a sufficiently small amount of tokens is deposited and locked as veALCX it is not included into the bias due to division by iMAXTIME
When a new slope is calculated at _checkpoint() the difference in bias is divided through timestamp. If the value is smaller than the timestamp the result of division is zero, hence no bias increase is added to the checkpoint.
The Voting power of a user is not increased despite increased deposit. While the impact is minuscule as the amount of tokens that can be lost is so small. It still affects the correctness of accounting. It should be fairly easy to prevent that from happening by establishing a minimum deposit requirement.
https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L1157
Paste the following code into Voting.t.sol:
We can see that that the amount of votes didn't change after additional tokens were deposited into a veALCX:
