Owner can not set the ve
address via RewardDistributor.addVoteEscrow
#611
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
selected-for-report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/rewards/RewardDistributor.sol#L300
https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/rewards/RewardDistributor.sol#L173
Vulnerability details
Impact
On the initial
RewardDistributor.addVoteEscrow
call, the owner of the contract can set theve
address without a timelock (which is as intended according to the function documentation). However, as the function parameter_voteEscrow
is not used for the assignment, instead the storage variablependingVoteEscrow
(which is not initialized, henceaddress(0)
) is used, theve
storage variable can not be set to the provided_voteEscrow
address.This prevents setting the
ve
address (ve
is set toaddress(0)
) and therefore preventsveNFT
holders to claim reward tokens and Ether rewards viaRewardDistributor.multiStakerClaim
.Proof of Concept
RewardDistributor.sol#L300
RewardDistributor.sol#L173
Tools Used
Manual review
Recommended mitigation steps
Use the correct function parameter
_voteEscrow
:The text was updated successfully, but these errors were encountered: