Open code423n4 opened 2 years ago
Lines 257-259 are actually meaningless and are not causing any error/side effects, they can be removed. in mStable impl, they used a dynamic array so they had to push an empty point with the first index, while we are using a fixed one which is already there. But i don't see the similarity for "Similarly issue with value of pointHistory[epoch] in line 372"
so essentially the issue is just that lines 257-259 are unnecessary but don't affect in any way the proper functioning of the system. that's why I think its a QA severity
Duplicate of #316
Lines of code
https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L257-L264 https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L372
Vulnerability details
Impact
In function
_checkpoint()
, new values ofuserPointHistory
andpointHistory
are override old values instead of appending to the end of the list, i.e creating new element.The result is if we try to get
balanceOf
ortotalSupply
at current block number, it just return wrong value because values ofglobalEpoch
is overrided.Proof of Concept
Line 257-264
When
uEpoch == 0
, values ofuserPointHistory
withindex = uEpoch + 1
is updated touserOldPoint
but in line 264, values ofuserPointHistory
withindex = uEpoch + 1
is overrided touserNewPoint
which basically makes line 257-259 has no meaning.Similarly issue with value of
pointHistory[epoch]
in line 372Tools Used
Manual Review
Recommended Mitigation Steps
Update logic of
_checkpoint()
, for example, use++
operator to make sureepoch
is increased each time it appends new element.