Submission Details
Severity:
When user withdraw tokens, using emergencyWithdraw function(), he does not lose his power.
Summary
Function emergencyWithdraw() does not write new checkpoint with new power (0),as do it function withdraw. So, user could save his power, if he emergency withdraw his tokens.
Vulnerability Details
In veRAACToken.sol contract, function withdraw() write checkpoint with power 0, because all have burned from user's balance.
function withdraw() external nonReentrant {
...
// Update checkpoints
_checkpointState.writeCheckpoint(msg.sender, 0);
...
}
But function emergencyWithdraw() does not do it. User saves his power, but his balance is 0.
Impact
User could create proposals and even cast votes, although he has no tokens.
// Governance.sol
function castVote(uint256 proposalId, bool support) external override returns (uint256) {
...
proposalVote.hasVoted[msg.sender] = true;
if (support) {
proposalVote.forVotes += weight;
} else {
proposalVote.againstVotes += weight;
}
The same situation with function propose()
Tools Used
Manual review
Recommendations
Reset power to 0 in emergencyWithdraw function
function emergencyWithdraw() external nonReentrant {
...
+ // Update checkpoints
+ _checkpointState.writeCheckpoint(msg.sender, 0);
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
veRAACToken::emergencyWithdraw doesn't update checkpoint - innacurate historical voting power, inconsistent state
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.