Skip to content
This repository has been archived by the owner on Jan 21, 2024. It is now read-only.

ni8mare - IVT tokens can be minted many times by calling initializeDistributionRecord several times. #192

Closed
sherlock-admin2 opened this issue Jul 22, 2023 · 0 comments
Closed

ni8mare - IVT tokens can be minted many times by calling initializeDistributionRecord several times. #192

sherlock-admin2 opened this issue Jul 22, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jul 22, 2023
edited
Loading

ni8mare

high

IVT tokens can be minted many times by calling initializeDistributionRecord several times.

Summary

IVT tokens can be minted many times by calling initializeDistributionRecord several times, giving a malicious user an unlimited amount of voting power.

Vulnerability Detail

The initializeDistributionRecord function in the CrosschainMerkleDistributor is an external function that could be called by anyone, given that they submit valid Merkle proof. But there is no limit on how many times this function can be called. This function calls the _initializeDistributionRecord in AdvancedDistributor, which mints the IVT tokens. Since there is no limit on calling initializeDistributionRecord as long as a valid Merkle proof is provided, a user could mint an infinite amount of IVT tokens giving them a lot of voting power.

function _initializeDistributionRecord(
    address beneficiary,
    uint256 totalAmount
) internal virtual override {
    super._initializeDistributionRecord(beneficiary, totalAmount);

    // add voting power through ERC20Votes extension
    _mint(beneficiary, tokensToVotes(totalAmount)); 
    //@audit -  no limit on minting these tokens. Given that initializeDistributionRecord
    //in CrosschainMerkleDistributor can be called many times with the same leaf value and Merkle proof.
}

Impact

A malicious user could mint an infinite amount of IVT tokens giving them a lot of voting power.

Code Snippet

https://github.com/SoftDAO/contracts/blob/291df55ddb0dbf53c6ed4d5b7432db0c357ca4d3/contracts/claim/abstract/CrosschainMerkleDistributor.sol#L46-L53

Tool used

Manual Review

Recommendation

Limit the number of times the initializeDistributionRecord function can be called. It should only be called once. This could be done by maintaining a mapping like this:

mapping(bytes32 => mapping (bytes32 => bool)) merkleRootToLeafInitialised;

If for a Merkle root, a leaf has already been initialised, then do not call the initializeDistributionRecord function again.

Duplicate of #41
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 26, 2023
@sherlock-admin2 sherlock-admin2 changed the title Zany Taffy Viper - IVT tokens can be minted many times by calling initializeDistributionRecord several times. ni8mare - IVT tokens can be minted many times by calling initializeDistributionRecord several times. Aug 6, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Aug 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2