search

FloorDAO / floor-v2

Floor aims to create a fully onchain governance mechanism for sweeping and deploying NFTs to profitable NFT-Fi strategies as well as seeding liquidity for its own NFT-Fi products.
https://floor.xyz
2 stars 0 forks source link

Vote Revoking Edge Cases allow double voting #34

Closed aleph-v closed 1 year ago

aleph-v commented 1 year ago

In the SweepWars contract the votes are allowed for either collections in the approved collections mapping or for the constant address 0x1. The revoke function however only revokes votes for the the collections in the approvedCollections array, which does not contain 0x1. Therefore a user can vote for 0x1 and then withdraw from vFloor and retain this vote. In another case if a collection is unapproved all of the votes are frozen and all users can withdraw and then redeposit, and vote for that collection again. If this was executed as coordinated attack a collection could be made permanently the higest voted collection.

tomwade commented 1 year ago

I want to have a think on this one to determine whether the FLOOR token can be added as an approved collection, or if there will need to be additional logic going in place (FLOOR_TOKEN_VOTE)

tomwade commented 1 year ago

I have been able to remove the 0x1 address definition from the SweepWars contract and it doesn't affect it negatively. The expected flow should be that the Floor token is added to the approved collections.