-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snapshot delegation cannot be cleared or modified #51
Comments
0xleastwood marked the issue as primary issue |
I don't think this qualifies as a medium severity issue, proxy addresses do not change and the issue raised seems like a best practice that should be implemented but is not necessary. Downgrading to QA. |
0xleastwood changed the severity to QA (Quality Assurance) |
This previously downgraded issue has been upgraded by 0xleastwood |
0xleastwood changed the severity to QA (Quality Assurance) |
0xleastwood marked the issue as grade-a |
elmutt (sponsor) confirmed |
0xleastwood marked the issue as selected for report |
0xleastwood removed the grade |
0xleastwood marked the issue as not selected for report |
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/votium/VotiumStrategyCore.sol#L100-L111
Vulnerability details
Summary
Convex voting power is delegated to the Votium protocol when the VotiumStrategy contract is deployed and cannot be cleared or changed if required.
Impact
The Votium strategy contract earns Convex rewards by delegating its voting power to Votium. This is done using the Snapshot
protocol, when the VotingStrategy contract is deployed, it calls the Snapshot registry to register the delegation.
https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/votium/VotiumStrategyCore.sol#L100-L111
After this registration is done, there is no current way of clearing or modifying this action. If the Snapshot id changes, or the Votium address changes, the protocol administrators won't be able to modify the delegation.
Recommendation
Add a function controlled by the owner of the protocol to modify the registration:
Assessed type
Other
The text was updated successfully, but these errors were encountered: