TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Staking Tokens Do Not Gain Voting Powers Without Delegation

gajiknownnothing

Summary

Voting power is not assigned to stakers if they have not explicitly delegated votes.

Vulnerability Details

In the TempleGoldStaking contract, if stakers have not delegated votes to themselves or any other account, their staked tokens do not gain any voting power. This occurs because when the delegates[_for] address is zero, the _moveDelegates function does not call _writeCheckpoint, preventing the allocation of voting power to the staker.

File: contracts\templegold\TempleGoldStaking.sol
260: function stakeFor(address _for, uint256 _amount) public whenNotPaused {
...
268: _moveDelegates(address(0), delegates[_for], _amount);
269: }
552: function _moveDelegates(
553: address srcRep,
554: address dstRep,
555: uint256 amount
556: ) internal {
557: if (srcRep != dstRep && amount > 0) {
...
571: }
572: }

Additionally, the process of _withdrawFor() has a similiar issue that does not decrease voting power if the delegates[_for] address is zero.

Impact

Stakers who do not delegate votes to themselves or another account will not gain any voting power for their staked tokens.

Tools Used

vscode

Recommendations

The _moveDelegates() should handle aforementioned scenario:

  • If srcRep and delegates[_for] are zero addresses, add vote power to the staker address.

  • If dstRep and delegates[_for] are zero addresses, decrease vote power from the staker address.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Staking Tokens Do Not Gain Voting Powers Without Delegation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.