As the comments said, the functions getTimeLockCount and getTimeLockERC721Count return the number of time-locks of a given ERC20/ERC721 contract. However, these two functions return the total count of time-locks, including those currently locked and those already unlocked. The result of these functions could mislead users.
Proof of Concept
The arrays timelockERC20Keys[token] and timelockERC721Keys[nftContract] are never called with a pop(), i.e., the elements are never removed, even after being unlocked.
ghost
commented
3 years ago
Handle
shw
Vulnerability details
Impact
As the comments said, the functions
getTimeLockCountandgetTimeLockERC721Countreturn the number of time-locks of a given ERC20/ERC721 contract. However, these two functions return the total count of time-locks, including those currently locked and those already unlocked. The result of these functions could mislead users.Proof of Concept
The arrays
timelockERC20Keys[token]andtimelockERC721Keys[nftContract]are never called with apop(), i.e., the elements are never removed, even after being unlocked.Referenced code: Visor.sol#L247-L255
Tools Used
None
Recommended Mitigation Steps
Should pop out elements from the array
timelockERC20Keys[token]/timelockERC721Keys[nftContract]when the ERC20/ERC721 tokens are unlocked.