Missing voting power update from `increaseUnlockTime`

[code423n4]

Lines of code

https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L493-L523

Vulnerability details

[PNM-002] Missing voting power update from increaseUnlockTime

Links

• https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L493-L523

Description

Users can increase their voting power in VotingEscrow.sol by locking funds, delegating funds, or extending the time that their funds are locked.

When a user delegates funds to another user and then increases the time that the funds are locked by calling increaseUnlockTime, the voting power should increase, as in the same scenario where the first user does not delegate the funds, his or her voting power increases.

However, this is not the case, as there are no operations that increase the power of the delegated user when increaseUnlockTime is called.

PoC / Attack Scenario

• User Alice delegates 10 delegate value to User Bob.
• User Alice calls increaseUnlockTime.
• User Bob's voting power does not increase.

Suggested Fix

Include operations that increase the delegated user's power when the delegating user calls increaseUnlockTime

[lacoop6tu]

This is an expected behaviour

[gititGoro]

The warden doesn't make clear why this should occur, simply that it should occur. Marking invalid.