Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vote_for_gauge_weights in GaugeController.sol allows for quick vote and withdraw voting strategy, which could hurt the protocol #31

Closed
code423n4 opened this issue Aug 8, 2023 · 5 comments
Closed

vote_for_gauge_weights in GaugeController.sol allows for quick vote and withdraw voting strategy, which could hurt the protocol #31

code423n4 opened this issue Aug 8, 2023 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-77 unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-08-verwa/blob/9a2e7be003bc1a77b3b87db31f3d5a1bcb48ed32/src/GaugeController.sol#L211-L278

Vulnerability details

Impact

The voting system can be abused by anybody, to apply any of the user's weight in every gauge's vote.

Proof of Concept

GaugeController voting system changes the weight of the gauges, by letting users split their voting weight power between different gauges
https://github.com/code-423n4/2023-08-verwa/blob/9a2e7be003bc1a77b3b87db31f3d5a1bcb48ed32/src/GaugeController.sol#L212-L234
and the sum of the weight used by the users should not exceed a total of 10000
https://github.com/code-423n4/2023-08-verwa/blob/9a2e7be003bc1a77b3b87db31f3d5a1bcb48ed32/src/GaugeController.sol#L241
but as the code is right now, there is no lock to prevent users from removing their weight, after they voted on a specific gauge, and vote again.
Considering all of this an attacker could just:

  • call vote_for_gauge_weights with _user_weight being 10000, maximum amount of weight that can be used, close to the ending of the vote
  • after the vote ends, he can call vote_for_gauge_weights with _user_weight 0, resetting all of his vote_user_power
  • then he calls vote_for_gauge_weights with 10000 on another gauge, manipulating the gauge weight updates, more than he should.

Tools Used

Manual review

Recommended Mitigation Steps

Same issue was found by Trail of Bits on reviewing Curve-DAO
https://github.com/trailofbits/publications/blob/master/reviews/CurveDAO.pdf
more specifically issue number 4. The way the curve solve this problem was by not letting a user vote multiple times in a period of 10 days, as can be seen here
https://github.com/curvefi/curve-dao-contracts/blob/9ba007a5013dd46e66401bc552933407f0bee044/contracts/GaugeController.vy#L439
which is something that you can consider and implement too.

Assessed type

Governance
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 8, 2023
code423n4 added a commit that referenced this issue Aug 8, 2023
@code423n4
Vagner issue #31
ece0433
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #45

@c4-pre-sort
Copy link

141345 marked the issue as not a duplicate

@c4-pre-sort c4-pre-sort reopened this Aug 13, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #77

@c4-judge
Copy link

alcueca marked the issue as unsatisfactory:
Invalid

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Aug 24, 2023
@alcueca
Copy link

alcueca commented Aug 24, 2023

See #77

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-77 unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alcueca @code423n4 @c4-judge @c4-pre-sort