Kogaroshi
commented
2 years ago PaladinToken contract is out of scope, and after hPAL is deployed, it will replace the PaladinToken for the voting process
Closed code423n4 closed 2 years ago
Kogaroshi
commented
2 years ago PaladinToken contract is out of scope, and after hPAL is deployed, it will replace the PaladinToken for the voting process
0xean
commented
2 years ago Invalid as out of scope
susceptible to fishing attack allow cheating delegation voting power
Rating: NonCritical or High
Need second opinion on this because Paladin Token might not be used for voting power and out of scope of this audit or dev already aware of this.
Paladin Token have
function delegateBySig()that did not check who is the sender. This is different fromdelegate()send by user.This is a vulnerability that allow anyone to delegate to anyone without sending transaction, but only sign a message through metamask.
And both normal user and advance user never check what message they are signing currently. This open up web3 fishing attack through fake website.
Concept
A fake user or warden in discord Paladin server sending out invitation for free NFT minting, airdrop. (This is a long con)
Attacker open up a website requires login, verification or something, as long as user did not suspect what message they are signing. User click airdrop, register, or login button without suspect that they are signing a fishing message.
This message will be craft to delegate vote to attacker address with
exprirytime is infinity andnoncecan be easily read through contract data, signature signed by user.When attacker have enough signature over a long time, they delegate all of voting power to their address by sending bulk transaction. Which give them voting power of all conned user.
Impact
There is not much damage here except reputation since HPAL suppose to replace PAL as vote token as project growth. Just aware of potential before that.