You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 21, 2024. It is now read-only.
sherlock-admin opened this issue
Jul 22, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Slightly increasing the vote factor can result to beneficiaries not able to claim their tokens.
Summary
Slightly increasing the vote factor can result to beneficiaries not able to claim their tokens.
Vulnerability Detail
Increasing the vote factor can result to unexpected outcome, as beneficiaries won't be able to claim their tokens.
When executing claim, the function calculates the amount of votes it has to burn based on the formula in the function
tokensToVotes. This can be problematic if the vote power increases and can lead to the following scenario:
A beneficiary is initialized and voting power is minted to it based on the current factor.
Time passes and the vote factor slightly increases
The beneficiary tries to claim his tokens but as the vote factor increased, the function will try to burn more voting power than the user has and it will revert.
In the end the beneficiary won't be able to claim his rewards.
function _executeClaim(
addressbeneficiary,
uint256totalAmount
) internalvirtualoverridereturns (uint256_claimed) {
_claimed =super._executeClaim(beneficiary, totalAmount);
// reduce voting power through ERC20Votes extension_burn(beneficiary, tokensToVotes(_claimed));
}
Duo to difference between the two vote factors, when the beneficiary was initialized and after the vote factor increases. The beneficiary won't be able to claim his tokens, as the function will try to burn more voting power than the beneficiary has.
The one way to fix this issue would be to burn the whole amount of voting power the beneficiary has, only if the tokens claimed have more voting power than the user has. This will prevent the issue from not being able to claim rewards, if vote factor increases over time.
sherlock-admin
changed the title
Melted Spruce Oyster - Slightly increasing the vote factor can result to beneficiaries not able to claim their tokens.
Yuki - Slightly increasing the vote factor can result to beneficiaries not able to claim their tokens.
Aug 6, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Yuki
high
Slightly increasing the vote factor can result to beneficiaries not able to claim their tokens.
Summary
Slightly increasing the vote factor can result to beneficiaries not able to claim their tokens.
Vulnerability Detail
Increasing the vote factor can result to unexpected outcome, as beneficiaries won't be able to claim their tokens.
When executing claim, the function calculates the amount of votes it has to burn based on the formula in the function
tokensToVotes. This can be problematic if the vote power increases and can lead to the following scenario:
Impact
Duo to difference between the two vote factors, when the beneficiary was initialized and after the vote factor increases. The beneficiary won't be able to claim his tokens, as the function will try to burn more voting power than the beneficiary has.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokensoft/blob/main/contracts/contracts/claim/abstract/AdvancedDistributor.sol#L87
https://github.com/sherlock-audit/2023-06-tokensoft/blob/main/contracts/contracts/claim/abstract/AdvancedDistributor.sol#L73
Tool used
Manual Review
Recommendation
The one way to fix this issue would be to burn the whole amount of voting power the beneficiary has, only if the tokens claimed have more voting power than the user has. This will prevent the issue from not being able to claim rewards, if vote factor increases over time.
Duplicate of #55
The text was updated successfully, but these errors were encountered: