Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extension voting threshold check needs to rerun on each transfer #141

Open
code423n4 opened this issue Dec 15, 2021 · 0 comments
Open

Extension voting threshold check needs to rerun on each transfer #141

code423n4 opened this issue Dec 15, 2021 · 0 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Handle

cmichel

Vulnerability details

The Extension contract correctly reduces votes from the from address of a transfer and adds it to the to address of the transfer (in case both of them voted on it before), but it does not rerun the voting logic in voteOnExtension that actually grants the extension.
This leads to issues where an extension should be granted but is not:

POC

  • to address has 100 tokens and votes for the extension
  • from address has 100 tokens but does not vote for the extension and transfers the 100 tokens to to
  • to now has 200 tokens, removeVotes is run, the totalExtensionSupport is increased by 100 to 200. In theory, the threshold is reached and the vote should pass if to could call voteOnExtension again.
  • But their call to voteOnExtension with the new balance will fail as they already voted on it (lastVotedExtension == _extensionVoteEndTime). The extension is not granted.

Impact

Extensions that should be granted after a token transfer are not granted.

Recommended Mitigation Steps

Rerun the threshold logic in removeVotes as it has the potential to increase the total support if to voted for the extension but from did not.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 15, 2021
code423n4 added a commit that referenced this issue Dec 15, 2021
@code423n4
cmichel issue #141
ce1b647
@ritik99 ritik99 added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Dec 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ritik99 @code423n4