-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drynooo - User balance is not updated when changing voteFactor #31
Comments
Escalate Hi Judge, I think this should be achievable, please re-evaluate. |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Would be appreciated if you point out the reason on why you think this is valid @Scorpiondeng |
Duplicate of #69 |
I now try to give as much detail as possible. "tokensToVotes" means returning the corresponding number of voting rights, followed by minting or burning through the
Similar to the above assumption, if |
I think this misunderstands an important part of the contract: initializeClaim can be called multiple times, by design. Whenever it's called, the voting rights get updated to the most recent number. |
You are right, after a while I forgot about this. But the key point is that when I have expressed my opinion and respect the judge's decision. |
So something important to realize is that I and many others pointed out issues with the setVoteFactor function in the last contest, including this one. See sherlock-audit/2023-06-tokensoft-judging#55 . The "increase scenario" there has been fixed, but the "decrease issue" is the exact same as this present report. The protocol team addressed this report and passed fix review, so we can conclude that they do not see what's left as an actual issue. And I would agree. It seems the intention is that, after doing a setVoteFactor, the admin will call initializeClaim on anyone already initialized. For increasing the voting share, the users can be trusted to do it themselves; otherwise, they'd only be hurting themselves. |
Agreed with @jkoppel this appears to be a design choice by protocol. |
In @jkoppel's discussion and previous reports, users' preemptive voting was not considered when voteFactor was reduced. |
What is preemptive voting? Voting for a proposal before it's created? |
Before the project party calls initializeClaim on the attacker. |
Doesn't that require opening a new proposal before the admin's finished adjusting people's voting weight? Also, since when is voting for a proposal that's already open an attack? |
@Scorpiondeng as I understand, by "preemptive voting" you meant that the attacker can front-run admin's call to reduce |
Yeah. This is basically what it means, or it can be to vote before the administrator calls the initializeDistributionRecord function to update the attacker's voting rights. I think this is unfair to users who vote after updating their voting rights. |
Hi, @jkoppel @WangSecurity . |
@jkoppel @Scorpiondeng another small clarification, if there's no proposal live, and the admin reduced the |
@WangSecurity Correct. If voteFactor is changed when there are no open proposals, then nothing bad can happen from this, so long as everyone voting share is correctly adjusted downward before the next proposal opens. |
Hm, then I actually think it would strange for an admin to change the vote factor mid-proposal:
I hope these two examples explain why it would be quite logical to change the vote factor when there' no proposal, cause otherwise, seems like an untrusted admin action. Planning to reject the escalation and leave the issue as it is. |
Result: |
Escalations have been resolved successfully! Escalation status:
|
Drynooo
high
User balance is not updated when changing voteFactor
Summary
When changing voteFactor, the user's balance was not updated. An attacker can monitor this transaction and vote before the balance is updated, thereby gaining more voting power.
Vulnerability Detail
For example, if voteFactor increases, the voting rights of all users should increase. However, users' voting rights are not updated in time. Attackers can vote immediately after updating their voting rights, thus accounting for a larger proportion. If voteFactor decreases, the voting rights of all users should decrease, and attackers can preempt transactions. Vote before updates to have greater voting power.
Impact
The attacker may have more voting power.
Code Snippet
Tool used
Manual Review
Recommendation
Update the balances of all users when voteFactor is updated.
The text was updated successfully, but these errors were encountered: