Each time addRewardToken() is called, new entries are added to the array, but doing so does not remove any old entries. By calling the function multiple times, an attacker can can increase their voting power indefinitely, without having to acquire new tokens.
File: contracts/Penrose.sol
378 /// @notice Registers an existing Singularity market (without deployment)
379 /// @dev can only be called by the owner
380 /// @param mc The address of the master contract which must be already registered
381 function addSingularity(
382 address mc,
383 address _contract
384 ) external onlyOwner registeredSingularityMasterContract(mc) {
385 isMarketRegistered[_contract] = true;
386 clonesOf[mc].push(_contract);
387 emit RegisterSingularity(_contract, mc);
388: }
411 /// @notice Registers an existing BigBang market (without deployment)
412 /// @dev can only be called by the owner
413 /// @param mc The address of the master contract which must be already registered
414 function addBigBang(
415 address mc,
416 address _contract
417 ) external onlyOwner registeredBigBangMasterContract(mc) {
418 isMarketRegistered[_contract] = true;
419 clonesOf[mc].push(_contract);
420 emit RegisterBigBang(_contract, mc);
421: }
Lines of code
455, 280, 378, 411
Vulnerability details
Each time
addRewardToken()
is called, new entries are added to the array, but doing so does not remove any old entries. By calling the function multiple times, an attacker can can increase their voting power indefinitely, without having to acquire new tokens.Assessed type
other