TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

All users are required to call `delegate` to have votes

jesjupyter

Summary

In `TempleGoldStaking` contract. by default, delegates would be address(0) for a given input address. If user doesn't call delegate by themselves, their votes would always remain 0. This does not align with the common practice as people who stakes can not get votes automatically, instead, he would needs to pay the gas to call delegate to be able to have votes. Since users are forced to pay extra fees to have votes, this disincentives and discourages the users from joining the governance.

Vulnerability Details

By default, delegates would return address(0) for a given input address if it has not be set before.

mapping(address account => address delegate) public delegates;

If it is not set before, the staker would get 0 vote since the vote is moved from address(0) to delegates[for] which is still address(0).

function stakeFor(address _for, uint256 _amount) public whenNotPaused {

if (_amount == 0) revert CommonEventsAndErrors.ExpectedNonZero();

// pull tokens and apply stake

stakingToken.safeTransferFrom(msg.sender, address(this), _amount);

uint256 _lastIndex = _accountLastStakeIndex[_for];

_accountLastStakeIndex[_for] = ++_lastIndex;

_applyStake(_for, _amount, _lastIndex);

@=> _moveDelegates(address(0), delegates[_for], _amount);

}

This does not align with the common practice as people who stakes can not get votes automatically, instead, he would needs to pay the gas to call delegate to be able to have votes.

function delegate(address delegatee) external override {

return _delegate(msg.sender, delegatee);

}

Impact

Users are forced to pay extra fees to have votes. This disincentives and discourages the users from joining the governance.

Tools Used

Manual

Recommendations

By default, if the user has not called delegate before, the vote should go to msg.sender.

I would recommend implement a function to return the delegates:

If the user calls delegate function before, return delegates[user]
If the user doesn't call it before, return address(user).

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Staking Tokens Do Not Gain Voting Powers Without Delegation

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.