Skip to content
This repository has been archived by the owner on Jan 21, 2024. It is now read-only.

0xDjango - Changes to voteFactor can lead to unclaimable tokens #46

Closed
sherlock-admin2 opened this issue Jul 21, 2023 · 0 comments
Closed

0xDjango - Changes to voteFactor can lead to unclaimable tokens #46

sherlock-admin2 opened this issue Jul 21, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jul 21, 2023
edited
Loading

0xDjango

high

Changes to voteFactor can lead to unclaimable tokens

Summary

Upon initialization of a user's DistributionRecord, they are minted voting power based on the current voteFactor value. Upon claiming tokens, their voting power is burned based on the current votefactor. Therefore, if the voteFactor were to increase between these actions by calling setVoteFactor(), users would not be able to claim their full amount of tokens.

Vulnerability Detail

Users receive voting power when their DistributionRecord is initialized:

  function _initializeDistributionRecord(
    address beneficiary,
    uint256 totalAmount
  ) internal virtual override {
    super._initializeDistributionRecord(beneficiary, totalAmount);


    // add voting power through ERC20Votes extension
    _mint(beneficiary, tokensToVotes(totalAmount));
  }

This mints voting power as a function of the current voteFactor value:

  function tokensToVotes(uint256 tokenAmount) private view returns (uint256) {
    return (tokenAmount * voteFactor) / fractionDenominator;
  }

When the user claims their tokens, their voting power is burned based on the same tokensToVotes calculation. Therefore, any increase in vote factor will lead to unclaimable funds.

  function _executeClaim(
    address beneficiary,
    uint256 totalAmount
  ) internal virtual override returns (uint256 _claimed) {
    _claimed = super._executeClaim(beneficiary, totalAmount);


    // reduce voting power through ERC20Votes extension
    _burn(beneficiary, tokensToVotes(_claimed));
  }

Impact

  • Frozen airdrops due to underflow

Code Snippet

https://github.com/sherlock-audit/2023-06-tokensoft/blob/main/contracts/contracts/claim/abstract/AdvancedDistributor.sol#L73-L95

Tool used

Manual Review

Recommendation

The lengthy and expensive mitigation would involve keeping a record of holders and mint/burn them a proportional amount of voting power in case the voteFactor changes.

Final note

Oppositely, if the voteFactor were to decrease, the token claim would succeed but user's would retain voting power after claiming their entire distribution. All this to say, any change to the voteFactor leads to undesirable circumstances without accounting for the change in the existing voting power balances.

Duplicate of #55
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 26, 2023
@sherlock-admin2 sherlock-admin2 changed the title Atomic Marmalade Finch - Changes to voteFactor can lead to unclaimable tokens 0xDjango - Changes to voteFactor can lead to unclaimable tokens Aug 6, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Aug 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2