Incorrect oldLocked
value passed in VotingEscrow._checkpoint
in VotingEscrow.increaseUnlockTime
when locked_.delegatee == msg.sender
#134
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L513
Vulnerability details
Impact
Detailed description of the impact of this finding.
oldLocked
andlocked_
are basically same as oldLocked is a copy of locked_LockedBalance memory oldLocked = _copyLock(locked_);
and thenoldLocked.end
is being assigned the new unlock timeunlock_time
oldLocked.end = unlock_time;
, which results in no change. These are being passed into_checkpoint(msg.sender, oldLocked, locked_);
which results in incorrect checkpoint math.Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
locked_
is being assignedunlock_time
here https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L507 and whenlocked_.delegatee == msg.sender
,oldLocked
is created as a copy oflocked_
here https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L512 but instead of assigningoldUnlockTime
,unlock_time
which is the new unlock end timestamp is being assigned tooldLocked.end
here https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L513 makingoldLocked
andlocked_
.As
oldLocked
andlocked_
being same are passed into_checkpoint(msg.sender, oldLocked, locked_);
here https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L514 it results in incorrect calculations ofuserOldPoint.bias
andpointHistory
in lines https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L240 , https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L372Tools Used
Manual Review
Recommended Mitigation Steps
set
oldLocked
to old unlock timeThe text was updated successfully, but these errors were encountered: