code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L504

Vulnerability details

Impact

Unlock time can exceed MAXTIME in increaseUnlockTime()

Proof of Concept

increaseUnlockTime can be called multiple times before expiration to increase unlock_time beyond MAXTIME

  // See IVotingEscrow for documentation
    function increaseUnlockTime(uint256 _unlockTime)
    ..........
    {
        LockedBalance memory locked_ = locked[msg.sender];
        uint256 unlock_time = _floorToWeek(_unlockTime); // Locktime is rounded down to weeks
        // Validate inputs
        require(locked_.amount > 0, "No lock");
        require(unlock_time > locked_.end, "Only increase lock end");
        require(unlock_time <= block.timestamp + MAXTIME, "Exceeds maxtime"); // here

        .........
    }

Tools Used

Manual analysis

lacoop6tu commented 2 years ago

This cannot happen because of "require(unlock_time <= block.timestamp + MAXTIME, "Exceeds maxtime")" A user can call it multiple times to always have the max voting power but if MAXTIME is 1 year, then he won't be able to set an interval bigger than MAXTIME

gititGoro commented 2 years ago

Subtle but essentially the user has to wait for real world time to pass before calling. MAXTIME is relative to the present moment.

code-423n4 / 2022-08-fiatdao-findings

Unlock time can exceed `MAXTIME` in `increaseUnlockTime()` #267

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used