29181 - [SC - High] Tautology in PoolVoterregisterGauge makes it im...
Submitted on Mar 9th 2024 at 20:29:08 UTC by @nethoxa for Boost | ZeroLend
Report ID: #29181
Report type: Smart Contract
Report severity: High
Target: https://github.com/zerolend/governance
Impacts:
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Description
Brief/Intro
Tautology in PoolVoter::registerGauge makes it impossible to add pools to the _pools array, as it checks for isPool[_asset] to be true, which is set in the same logical branch so it can't be triggered. That makes most of the distribute* functions useless as they rely on either _pools.length (which would be 0 so they become NOPs) or they access elements inside such array, triggering an OOB error and always reverting such a transaction.
Vulnerability Details
It is pretty visual, the only place where isPool is set to true for a given asset is in PoolVoter::registerGauge:
however, as mappings defaults to 0 or false, it won't be triggered and the _pools array will remain empty.
Impact Details
Calls to distribute or distributeEx will either revert or return without doing anything, as they rely on _pools.length to iterate the array or they will access it, even if it is empty. That is, those functions remain useless, so it can be seen a self-griefing from the contract to any user who calls those functions.
Proof of Concept
I initialized a Foundry repo to test it, but I believe this is simple enough that it does not matter which framework you use to test it. I can provide the repo if you want:
Last updated