Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Self-Delegation Allowed

maglov

Summary

The delegateBoost function does not prevent users from delegating their boost to themselves (to == msg.sender). This may not be the intended behavior and could lead to unintended consequences, such as users artificially inflating their own boost.

Vulnerability Details

  • The function does not check if the to address is the same as the msg.sender.

  • This allows users to delegate their boost to themselves, which may not be the intended behavior.

  • Self-delegation could be used to artificially inflate a user's boost, undermining the fairness of the governance process.

Impact

  • Unintended Behavior: Users can delegate boost to themselves, potentially exploiting the system.

  • Reduced Trust: Users may lose trust in the governance system if self-delegation is allowed.

PoC

  1. A user calls delegateBoost with to = msg.sender.

  2. The function allows the delegation, even though it may not be the intended behavior.

  3. The user's boost is artificially inflated, potentially affecting governance outcomes.

Tools Used

Manual Review

Recommendations

Add a check to prevent users from delegating their boost to themselves:

if (to == msg.sender) revert CannotDelegateToSelf();
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.