nneverlander
commented
2 years ago Once they are vested, it's fine for them to have the multiplier
Closed code423n4 closed 2 years ago
nneverlander
commented
2 years ago Once they are vested, it's fine for them to have the multiplier
HardlyDifficult
commented
2 years ago This seems like a design choice. The power could be intentionally be weighted this way because although the tokens could be withdrawn, the user did choose to lock them up for that period of time. Closing as invalid.
Lines of code
https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/staking/InfinityStaker.sol#L154-L160
Vulnerability details
Impact
Locked tokens that are vested receive the same voting power as unvested locked tokens
Proof of Concept
If a user locks tokens for 3 months, after three months those tokens will be fully redeemable but they will still count for twice as many votes per token. This allows the users to have both fully liquid tokens (can be unstaked at anytime) and increased voting power.
Tools Used
Recommended Mitigation Steps
When calling getUserStakePower, the timestamp of each lock should be compared with the current timestamp and if the lock is expired it should count as if it was staked in "none"