#37427 [SC-Critical] Delegation is not updated on slash and unlock
Previous#37443 [SC-Insight] Race Condition in KeyedBroadcaster ImplementationNextStacks I Attackathon
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on Dec 4th 2024 at 14:44:39 UTC by @shadowHunter for
Report ID: #37427
Report Type: Smart Contract
Report severity: Critical
Target: https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/contracts/governance/LockedGold.sol
Impacts:
Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
It was observed that delegation is not updated on slashing for reporter and caller in unlock operation. This causes incorrect balance accounting
Observe the 'slash' function and 'unlock` function
Both of this function calls _incrementNonvotingAccountBalance and _decrementNonvotingAccountBalance which changes the non voting balance and thus AccountTotalLockedGold
Lets say User A is unlocking or calling slash on another User B then it is always required to call _updateDelegatedAmount on both Users so that delegated balance gets updated correctly as per new total locked
But the same is missing in both functions
Delegated balance power will be incorrect
In unlock call _updateDelegatedAmount(msg.sender); In slash call _updateDelegatedAmount(reporter);