c4-pre-sort
commented
1 year ago 141345 marked the issue as duplicate of #36
Open code423n4 opened 1 year ago
c4-pre-sort
commented
1 year ago 141345 marked the issue as duplicate of #36
c4-judge
commented
1 year ago alcueca changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/GaugeController.sol#L188-L199
Vulnerability details
Impact
The Gauge weight can be forced changed by the governance using
change_gauge_weight. However unlikevote_for_gauge_weights, which checks whether the gauge address is valid usingisValidGauge,change_gauge_weightis not checking this condition. Possible impact:A malicious governance can pretend deleting a gauge which is unfavourable for the users, by removing it using
remove_gauge, however it can still force change its weight leading to unfair distribution.The malicious actor can set a very high weight to a gauge they favor (or control), which may result in that gauge receiving a disproportionate amount of rewards or influence in the system.
Proof of Concept
Add this code to:
gc.change_gauge_weight(user1, 100);assertEq(gc.get_gauge_weight(user1), 100);https://github.com/code-423n4/2023-08-verwa/blob/a693b4db05b9e202816346a6f9cada94f28a2698/src/test/GaugeController.t.sol#L52-L63
You can observe that despite being deleted, user1 has gained again weight from 0 to 100. When the governance deleted user1, a deceiving event was created which states that user1 is removed and its weight is 0 however, one step later its weight was increased to 100. This can lead to market manipulation.
Tools Used
Foundry
Recommended Mitigation Steps
Check is it valid gauge before updating weight
require(isValidGauge[_gauge], "Invalid gauge address");Assessed type
Governance