Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snapshot delegation cannot be cleared or modified #51

Open
c4-submissions opened this issue Sep 27, 2023 · 10 comments
Open

Snapshot delegation cannot be cleared or modified #51

c4-submissions opened this issue Sep 27, 2023 · 10 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/votium/VotiumStrategyCore.sol#L100-L111

Vulnerability details

Summary

Convex voting power is delegated to the Votium protocol when the VotiumStrategy contract is deployed and cannot be cleared or changed if required.

Impact

The Votium strategy contract earns Convex rewards by delegating its voting power to Votium. This is done using the Snapshot
protocol, when the VotingStrategy contract is deployed, it calls the Snapshot registry to register the delegation.

https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/votium/VotiumStrategyCore.sol#L100-L111

100:     function initialize(
101:         address _owner,
102:         address _rewarder,
103:         address _manager
104:     ) external initializer {
105:         bytes32 VotiumVoteDelegationId = 0x6376782e65746800000000000000000000000000000000000000000000000000;
106:         address DelegationRegistry = 0x469788fE6E9E9681C6ebF3bF78e7Fd26Fc015446;
107:         address votiumVoteProxyAddress = 0xde1E6A7ED0ad3F61D531a8a78E83CcDdbd6E0c49;
108:         ISnapshotDelegationRegistry(DelegationRegistry).setDelegate(
109:             VotiumVoteDelegationId,
110:             votiumVoteProxyAddress
111:         );

After this registration is done, there is no current way of clearing or modifying this action. If the Snapshot id changes, or the Votium address changes, the protocol administrators won't be able to modify the delegation.

Recommendation

Add a function controlled by the owner of the protocol to modify the registration:

function setDelegation(bytes32 id, address target) external onlyOwner {
    address DelegationRegistry = 0x469788fE6E9E9681C6ebF3bF78e7Fd26Fc015446;
    ISnapshotDelegationRegistry(DelegationRegistry).setDelegate(id, target);
}

Assessed type

Other

@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 27, 2023
c4-submissions added a commit that referenced this issue Sep 27, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Oct 3, 2023

0xleastwood marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Oct 3, 2023
@0xleastwood
Copy link

I don't think this qualifies as a medium severity issue, proxy addresses do not change and the issue raised seems like a best practice that should be implemented but is not necessary. Downgrading to QA.

@c4-judge
Copy link
Contributor

c4-judge commented Oct 4, 2023

0xleastwood changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Oct 4, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Oct 4, 2023

This previously downgraded issue has been upgraded by 0xleastwood

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 4, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Oct 4, 2023

0xleastwood changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

c4-judge commented Oct 4, 2023

0xleastwood marked the issue as grade-a

@c4-sponsor
Copy link

elmutt (sponsor) confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Oct 4, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Oct 4, 2023

0xleastwood marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Oct 4, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Oct 5, 2023

0xleastwood removed the grade

@c4-judge c4-judge removed the grade-a label Oct 5, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Oct 5, 2023

0xleastwood marked the issue as not selected for report

@c4-judge c4-judge removed the selected for report This submission will be included/highlighted in the audit report label Oct 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Development

No branches or pull requests

5 participants