Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

0xBhumii - Lack of Validation for Updating Minimum Lock Time in Voting Contract #419

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 1 comment
Closed

0xBhumii - Lack of Validation for Updating Minimum Lock Time in Voting Contract #419

sherlock-admin3 opened this issue Jul 15, 2024 · 1 comment
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by WangSecurity
Loading

0xBhumii

High

Lack of Validation for Updating Minimum Lock Time in Voting Contract

Summary

The Voter contract allows the owner to update the minimum lock time for voting eligibility without any validation checks or restrictions. This can lead to a situation where users who have locked their tokens for the initial minimum period may lose their voting power if the minimum lock time is increased. This issue can result in users losing their ability to participate in ongoing voting periods, undermining the fairness and predictability of the voting process.

Vulnerability Detail

In the Voter contract, the owner can update the minimum lock time required for voting by calling the updateMinimumLockTime function. However, this function lacks any validation or restrictions, allowing the owner to arbitrarily increase the minimum lock time. If users have locked their tokens for the initially specified minimum period and the owner increases the minimum lock time during an ongoing voting period, these users will lose their voting power for that period. This creates an unfair scenario where users cannot predict or rely on their voting eligibility

Impact

Users who have locked their tokens for the initially specified minimum period may lose their voting power if the minimum lock time is increased by the owner. This undermines the fairness and predictability of the voting process, leading to potential user dissatisfaction and loss of trust

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L172

 function updateMinimumLockTime(uint256 lockTime) external onlyOwner {
        if (lockTime == 0) revert IVoter_ZeroValue();
        _minimumLockTime = lockTime;
        emit MinimumLockTimeUpdated(lockTime);
    }

Tool used

Manual Review

Recommendation

Modify code in a way it changes to the minimum lock time should only take effect after the current voting period has ended

function updateMinimumLockTime(uint256 lockTime) external onlyOwner {
    if (lockTime == 0) revert IVoter_ZeroValue();
    if (_votingStarted() && !_votingEnded()) revert IVoter__CannotUpdateDuringVoting();

    _minimumLockTime = lockTime;
    emit MinimumLockTimeUpdated(lockTime);
}
@github-actions github-actions bot added duplicate High A High severity issue. labels Jul 21, 2024
@sherlock-admin3 sherlock-admin3 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Silly Aquamarine Rook - Lack of Validation for Updating Minimum Lock Time in Voting Contract 0xBhumii - Lack of Validation for Updating Minimum Lock Time in Voting Contract Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
@chinmay-farkya chinmay-farkya mentioned this issue Aug 2, 2024
Open
@WangSecurity
Copy link

Invalid based on the comment #166 (comment)

@WangSecurity WangSecurity removed High A High severity issue. Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Aug 21, 2024
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue labels Aug 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@WangSecurity @sherlock-admin2 @sherlock-admin3 @sherlock-admin4