Closed code423n4 closed 2 years ago
Expected behaviour
veFDT will always used in combination with a blocklist contract
we don't initialize blocklist in the constructor bc blocklist itself is initialized with the address of veFDT. so veFDT is deployed first but only accepts deposits once a blocklist is initialized
The reverted calls is enough signal that the blocklist hasn't been deployed. Adding new code to handle an incomplete deploy script penalizes the users' gas at the benefit for the deployer.
Lines of code
https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L124-L130
Vulnerability details
Unset blocklist will cause reverts to most functions.
While it may seem natural to have a blocklist setup at this time, the constructor doesn't take it as an argument.
Additionally, in the future, the DAO may vote to remove the blocklist, however, an unset blockList causes Reverts as the
modifier
always runs the call to the contract, and settingblockList
to address(0) (or never setting it), will cause reverts.https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L124-L130
POC
I encountered this error when trying to build a POC for another attack, see steps below
All functions won't work until
blocklist
is set.Remediation Steps
Add a check for
blocklist
being zero, and skip the callAdditionally you could add
initialBlocklist
as a constructor argument