Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Function getPastDelegate may return incorrect values #87

Closed
code423n4 opened this issue Apr 2, 2022 · 2 comments
Closed

Function getPastDelegate may return incorrect values #87

code423n4 opened this issue Apr 2, 2022 · 2 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists invalid This doesn't seem right sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-03-paladin/blob/9c26ec8556298fb1dc3cf71f471aadad3a5c74a0/contracts/HolyPaladinToken.sol#L976-L990

Vulnerability details

Impact

By calling delegate function of HolyPaladinToken contract two or more times in a single block (including a transaction so it is possible to flash loan assets and pass them to more and more accounts), users can add elements to the delegateCheckpoints array with the same fromBlock properties, but different delegatees. This edge case is not considered in the implementation of getPastDelegate function, which returns a value as soon as it finds a DelegateCheckpoint with matching fromBlock property (see HolyPaladinToken.sol:981-983). If there are more checkpoints with the same block number, that function should return the latest one, i.e. the one with the highest index.
In its current implementation getPastDelegate function can also return a different value after changing the length of the log, either from the correct value to an incorrect or the other way.

Any governance system based on reading this function will inevitably fail because the attacker can use voting power for their funds multiple times from different addresses.
Not only does this bug break any external tools which rely on that function, but it also affects the return value of getPastVotes function, which sometimes may not take the locking bonus into account.

Recommended mitigation steps

There are two obvious ways of fixing this issue: either by removing the check in HolyPaladinToken.sol:981-983 or by not allowing adding elements to the delegateCheckpoints array with the same fromBlock property. While both ways are viable, the latter one is preferred as it is a gas optimization.
Checks should be added whether or not the block number of the last element of delegateCheckpoints array is equal to the current block number, and if it is, modify that element instead of adding a new one.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Apr 2, 2022
code423n4 added a commit that referenced this issue Apr 2, 2022
@code423n4
Czar102 issue #87
ebda0d2
@Kogaroshi Kogaroshi added duplicate This issue or pull request already exists disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") labels Apr 3, 2022
@Kogaroshi
Copy link
Collaborator

Duplicate of #20
See in this issue for PR with changes

@0xean
Copy link
Collaborator

0xean commented Apr 8, 2022

closing as invalid, warden submitted three issues with same attack vector see #84 and #86

@0xean 0xean closed this as completed Apr 8, 2022
@0xean 0xean added the invalid This doesn't seem right label Apr 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists invalid This doesn't seem right sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@0xean @Kogaroshi @code423n4