Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

0xAnmol - Double voting is possible if the user withdraws and reopens a position within the voting duration. #232

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Closed

0xAnmol - Double voting is possible if the user withdraws and reopens a position within the voting duration. #232

sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by sherlock-admin4
Loading

0xAnmol

High

Double voting is possible if the user withdraws and reopens a position within the voting duration.

Summary

A staked user can withdraw his MLUM after voting and restake it to vote again, resulting in double voting.

Vulnerability Detail

Users who have an MLUM staked in the [mlumStaking.sol](http://mlumstaking.aol/) can vote in the voter.sol. The voting weight depends on the staked amount.

To exploit this, a user can stake before the voting begins and set the duration to the minimum required lock duration. After the voting period starts, the user can vote with their weight, withdraw the staked tokens, restake them, and vote again in the same pool within the same periodId.

POC

Here is a simple POC on how an attacker can do that.

  1. Alice created a 2-week position with 1e18 MLUM
  2. 13 days pass and Alice 1 day away from his expiry
  3. New voting period starts with 2 weeks duration
  4. Alice vote
  5. After 1 days Alice withdraw his MLUM
  6. Restake
  7. Vote Again

Paste this test in Voter.t.sol

  function testVoteTwice() public {
        _createPosition(ALICE);
        vm.warp(block.timestamp + 13 days); // 13 days
        vm.prank(DEV);
        _voter.startNewVotingPeriod();

        vm.startPrank(ALICE);
        _voter.vote(1, _getDummyPools(), _getDeltaAmounts());

        vm.warp(block.timestamp + 1 days);

        vm.startPrank(ALICE);
        _pool.withdrawFromPosition(1, 1 ether);

        _createPosition(ALICE);
        vm.startPrank(ALICE);
        _voter.vote(2, _getDummyPools(), _getDeltaAmounts());
    }

Impact

Double voting is breaking the fairness of the voting system. A malicious actor can use this to promote their pool in an unethical way.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/Voter.sol#L153

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L496

Tool used

Manual Review

Recommendation

Do not allow stakers to withdraw from their position if they are already voting.

Duplicate of #166
@github-actions github-actions bot added duplicate High A High severity issue. labels Jul 21, 2024
@sherlock-admin2 sherlock-admin2 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Slow Maroon Gibbon - Double voting is possible if the user withdraws and reopens a position within the voting duration. 0xAnmol - Double voting is possible if the user withdraws and reopens a position within the voting duration. Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sherlock-admin2 @sherlock-admin3 @sherlock-admin4