Upgraded Q -> M from 234 [1659038052827] #275
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
upgraded by judge
Comments
code423n4
added
2 (Med Risk)
code423n4
added a commit
that referenced
this issue
Jul 28, 2022
|
Duplicate of #120 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Judge has assessed an item in Issue #234 as Medium risk. The relevant finding follows:
When removing operator, there is no check to make sure that veAssetWeights[operator] has been removed. If governance forgot to call updateveAssetWeight before removing the operator, totalWeight would be inflated and user would get lesser amount when claiming reward:
uint256 _veAssetEarned = _amount.mul(veTokenMinter.veAssetWeights(address(this))).div(
veTokenMinter.totalWeight()
);
Recommended Mitigation
Ensure that weight is updated to zero when removing operator:
function removeOperator(address _operator) public onlyOwner {
updateveAssetWeight(_operator, 0); // modify visibility to public
operators.remove(_operator);
}
Relevant Links
https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VeTokenMinter.sol#L36-L46
https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/Booster.sol#L607-L609
The text was updated successfully, but these errors were encountered: