You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 21, 2024. It is now read-only.
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
IVT tokens can be minted many times by calling initializeDistributionRecord several times.
Summary
IVT tokens can be minted many times by calling initializeDistributionRecord several times, giving a malicious user an unlimited amount of voting power.
Vulnerability Detail
The initializeDistributionRecord function in the CrosschainMerkleDistributor is an external function that could be called by anyone, given that they submit valid Merkle proof. But there is no limit on how many times this function can be called. This function calls the _initializeDistributionRecord in AdvancedDistributor, which mints the IVT tokens. Since there is no limit on calling initializeDistributionRecord as long as a valid Merkle proof is provided, a user could mint an infinite amount of IVT tokens giving them a lot of voting power.
function _initializeDistributionRecord(
addressbeneficiary,
uint256totalAmount
) internalvirtualoverride {
super._initializeDistributionRecord(beneficiary, totalAmount);
// add voting power through ERC20Votes extension_mint(beneficiary, tokensToVotes(totalAmount));
//@audit - no limit on minting these tokens. Given that initializeDistributionRecord//in CrosschainMerkleDistributor can be called many times with the same leaf value and Merkle proof.
}
Impact
A malicious user could mint an infinite amount of IVT tokens giving them a lot of voting power.
Limit the number of times the initializeDistributionRecord function can be called. It should only be called once. This could be done by maintaining a mapping like this:
sherlock-admin2
changed the title
Zany Taffy Viper - IVT tokens can be minted many times by calling initializeDistributionRecord several times.
ni8mare - IVT tokens can be minted many times by calling initializeDistributionRecord several times.
Aug 6, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
ni8mare
high
IVT tokens can be minted many times by calling
initializeDistributionRecord
several times.Summary
IVT tokens can be minted many times by calling
initializeDistributionRecord
several times, giving a malicious user an unlimited amount of voting power.Vulnerability Detail
The
initializeDistributionRecord
function in theCrosschainMerkleDistributor
is an external function that could be called by anyone, given that they submit valid Merkle proof. But there is no limit on how many times this function can be called. This function calls the_initializeDistributionRecord
inAdvancedDistributor
, which mints the IVT tokens. Since there is no limit on callinginitializeDistributionRecord
as long as a valid Merkle proof is provided, a user could mint an infinite amount of IVT tokens giving them a lot of voting power.Impact
A malicious user could mint an infinite amount of IVT tokens giving them a lot of voting power.
Code Snippet
https://github.com/SoftDAO/contracts/blob/291df55ddb0dbf53c6ed4d5b7432db0c357ca4d3/contracts/claim/abstract/CrosschainMerkleDistributor.sol#L46-L53
Tool used
Manual Review
Recommendation
Limit the number of times the
initializeDistributionRecord
function can be called. It should only be called once. This could be done by maintaining a mapping like this:If for a Merkle root, a leaf has already been initialised, then do not call the
initializeDistributionRecord
function again.Duplicate of #41
The text was updated successfully, but these errors were encountered: