User may make their loss to be unburnable by anyone #1215
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-152
grade-b
Q-03
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/tokens/ERC20Gauges.sol#L500-L539
Vulnerability details
When a loss is recorded in the system, it's shared across all gauge voters, and in order to perform any action on them, GuildToken.applyGaugeLoss() has to be called. However, this function will run indefinitely when it meets
getUserGaugeWeight[user][gauge]
that is 0. This is easy to achieve by increasing voting weight by 0 by user. Then, the loop will run indefinitely, because of mismatched ++i position. This makes the position loss unappliable:Impact
User GUILD tokens which are menat to be burned after the protocol, leaving "poisonous" GUILD tokens in a gauge forever.
Tools Used
Manual analysis
Recommended Mitigation Steps
The fix is very straight forward:
Generally, micro optimizations are an enemy to the security and should be verified very carefully.
Assessed type
Error
The text was updated successfully, but these errors were encountered: