In increaseUnlockTime() function, in case it’s undelegated lock, it calls _checkpoint for msg.sender with oldLocked and locked_. But actually, these 2 locks oldLocked and locked_ are the same. It makes the logic in _checkpoint() function works incorrectly.
Value end of locked_ is updated to unlock_time in line 507 and line 512-513 is copy value of locked_ to oldLocked and also update value end to unlock_time. So basically, values of locked_ and oldLocked are identical.
Tools Used
Manual Review
Recommended Mitigation Steps
Update logic, value end of oldLocked should be oldUnlockTime
Lines of code
https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L513
Vulnerability details
Impact
In
increaseUnlockTime()
function, in case it’s undelegated lock, it calls_checkpoint
formsg.sender
witholdLocked
andlocked_
. But actually, these 2 locksoldLocked
andlocked_
are the same. It makes the logic in_checkpoint()
function works incorrectly.Proof of Concept
Line 507-515
Value
end
oflocked_
is updated tounlock_time
in line 507 and line 512-513 is copy value oflocked_
tooldLocked
and also update valueend
tounlock_time
. So basically, values oflocked_
andoldLocked
are identical.Tools Used
Manual Review
Recommended Mitigation Steps
Update logic, value
end
ofoldLocked
should beoldUnlockTime