Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delegatees can keep delegator's deposits against their will using frontrunning #369

Closed
code423n4 opened this issue Aug 10, 2023 · 10 comments
Closed

Delegatees can keep delegator's deposits against their will using frontrunning #369

code423n4 opened this issue Aug 10, 2023 · 10 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-182 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) upgraded by judge Original issue severity upgraded from QA/Gas by judge

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/VotingEscrow.sol#L384

Vulnerability details

Impact

A voter cannot redelegate his deposit except the new delegatee has a higher lock time than the current delegatee.

   require(toLocked.end >= fromLocked.end, "Only delegate to longer lock");

This is a good design choice for the benefit of the protocol. But for a user that wants to redelegate, undelegate he may be prevented by the current delegatee.

The current delegatee can achieve this by frontrunning any transaction that wants to redelegate an amount currently delegated to him. The frontrun transaction will increase his lock time, which will make the incoming transaction invalid. Although this can be avoided if the transaction is sent through a private RPC URL or if the new delegate's lock time can be increased and the delegation happens in the same block.
Depending on the technical level of the voter, this might be feasible to perform.

Ultimately, the lock time of the new delegatee has to be increased to redelegate or undelegate which may not be favorable for him.

Proof of Concept

  1. Alice creates a lock and deposits 5 CANTO in the Voting Escrow.
  2. Alice delegates to another user.
  3. Alice tries to redelegate but is frontrun by her current delegatee, which leaves her deposits stuck with the delegatee.

Tools Used

Vscode

Recommended Mitigation Steps

The current check seems more like a design choice to make sure voters remain in the contract longer than their lock time. Replacing it with the check below will help achieve the same objective with no detriment to the voter.

        require(toLocked.end >= locked_.end, "Cannot delegate to shorter lock");

Assessed type

Invalid Validation
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 10, 2023
code423n4 added a commit that referenced this issue Aug 10, 2023
@code423n4
nonseodion issue #369
a3404f2
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #116

@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #82

@c4-judge c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Aug 24, 2023
@c4-judge
Copy link

alcueca changed the severity to 3 (High Risk)

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge labels Aug 24, 2023
@c4-judge
Copy link

alcueca changed the severity to 2 (Med Risk)

@c4-judge c4-judge added duplicate-411 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) and removed duplicate-82 labels Aug 24, 2023
@c4-judge
Copy link

alcueca marked the issue as partial-50

@c4-pre-sort
Copy link

141345 marked the issue as not a duplicate

@c4-pre-sort c4-pre-sort reopened this Aug 24, 2023
@c4-pre-sort c4-pre-sort removed partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) duplicate-411 labels Aug 24, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #375

@c4-judge c4-judge added the partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) label Aug 24, 2023
@c4-judge
Copy link

alcueca marked the issue as partial-50

@c4-judge
Copy link

alcueca marked the issue as duplicate of #182

@c4-judge c4-judge added duplicate-182 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed duplicate-245 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue labels Aug 29, 2023
@c4-judge
Copy link

alcueca changed the severity to 3 (High Risk)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-182 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) upgraded by judge Original issue severity upgraded from QA/Gas by judge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@code423n4 @c4-judge @c4-pre-sort