Increase voting power by tokenizing the address that deposits the token #552
Labels
bug
Something isn't working
invalid
This doesn't seem right
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/vote-escrow/VoteEscrowCore.sol#L833-L866
Vulnerability details
Impact
Similar to code-423n4/2022-05-aura-findings#278.
Without restriction on the type of address that deposit the token, a bad actor could deposit the token through the smart contract. The bad actor could attract people to deposit the token through his smart contract instead of directly depositing with VoteEscrowCore by injecting better short-term incentives to his wrapper token. This enable the bad actor to accumulate voting power that could dictate the future of the protocol.
Proof of Concept
https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/vote-escrow/VoteEscrowCore.sol#L833-L866
Tools Used
None
Recommended Mitigation Steps
It would be best to check whether the depositor is the smart contract or the wallet and, if the protocol wants the smart contract to be the depositor, it can implement the whitelist or blacklist.
The text was updated successfully, but these errors were encountered: