Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

web3pwn - User can vote twice once the lock duration elapses #279

Closed
sherlock-admin2 opened this issue Jul 15, 2024 · 0 comments
Closed

web3pwn - User can vote twice once the lock duration elapses #279

sherlock-admin2 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jul 15, 2024
edited by sherlock-admin4
Loading

web3pwn

High

User can vote twice once the lock duration elapses

Summary

The Voter contract allows users to vote for pools using their staked position's tokenId from the MlumStaking contract, ensuring the position meets minimum lock duration requirements. Once a vote is cast, the position is marked to prevent multiple votes in the same period. However, if the lock duration elapses, users can withdraw their funds, create a new position, and vote again, enabling an exploit where a user can vote twice.

Vulnerability Detail

The vote functions of the Voter contract allow users to vote for specified pools using the tokenId of their staked position in the MlumStaking contract. The function checks if the position's initialLockDuration meets the minimum requirements of _minimumLockTime and ensures that the position's lockDuration is at least equal to _periodDuration. Once a user votes, the _hasVotedInPeriod mapping is updated to mark that the position has voted in the current period, preventing multiple votes with the same position. The issue arises when the lock duration of the position elapses, allowing the user to withdraw all funds from the position. An attacker could exploit this by voting, withdrawing from the position, creating a new position, and voting again, thereby voting twice.

Issue Scenario:

  1. User creates a position with a lock duration of 2 weeks, minting a position with id 10.
  2. Two weeks elapse.
  3. User votes using tokenId 10, marking it as having already voted in _hasVotedInPeriod.
  4. User withdraws from the position, destroying tokenId 10.
  5. User creates a new position, minting a position with tokenId 11.
  6. User votes again, this time using tokenId 11.
  7. The user ends up voting twice using the same amount within the same period.

Impact

A user can vote twice every lockDuration by voting, withdrawing from the position, creating a new position, and voting again.

Code Snippet

Tool used

Manual Review

Recommendation

It is recommended to prevent users from voting twice by verifying the startLockTime of the position and ensuring it was not opened within the current period.

Duplicate of #166
@github-actions github-actions bot added duplicate High A High severity issue. labels Jul 21, 2024
@sherlock-admin2 sherlock-admin2 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Blunt Carmine Camel - User can vote twice once the lock duration elapses web3pwn - User can vote twice once the lock duration elapses Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin4