This repository has been archived by the owner on Jun 2, 2024. It is now read-only.
cergyk - LockingPositionDelegate::manageOwnedAndDelegated unchecked duplicate tokenId allow metaGovernance manipulation #126
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
cergyk
high
LockingPositionDelegate::manageOwnedAndDelegated unchecked duplicate tokenId allow metaGovernance manipulation
Summary
A malicious user can multiply his share of meta governance delegation for a tokenId by adding that token multiple times when calling
manageOwnedAndDelegated
Vulnerability Detail
Without checks to prevent the addition of duplicate token IDs, a user can artificially inflate their voting power and their metaGovernance delegations.
A malicious user can add the same tokenId multiple times, and thus multiply his own share of meta governance delegation with regards to that tokenId.
Scenario:
manageOwnedAndDelegated
and adds the sametokenId
10 times, each time allocating 10% of the voting power to herself.tokenId
, fetched by callingmgCvgVotingPowerPerAddress
, harming Bob and Alice metaGovernance voting power.Impact
The lack of duplicate checks can be exploited by a malicious user to manipulate the metaGovernance system, allowing her to gain illegitimate voting power (up to 100%) on a delegated tokenId, harming the delegator and the other delegations of the same
tokenId
.Code Snippet
https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Locking/LockingPositionDelegate.sol#L330
PoC
Add in balance-delegation.spec.ts:
Tool used
Recommendation
Ensuring the array of token IDs is sorted and contains no duplicates. This can be achieved by verifying that each tokenId in the array is strictly greater than the previous one, it ensures uniqueness without additional data structures.
The text was updated successfully, but these errors were encountered: