GalloDaSballo
commented
1 year ago I believe they could rescind and create a new version
Interested in what the Sponsor thinks
Closed c4-submissions closed 1 year ago
GalloDaSballo
commented
1 year ago I believe they could rescind and create a new version
Interested in what the Sponsor thinks
0xfoobar
commented
1 year ago This is desired behavior, delegate token owner needs to be assured of what they hold and principal token owner needs to be assured of what they issued
c4-sponsor
commented
1 year ago 0xfoobar (sponsor) disputed
GalloDaSballo
commented
1 year ago After reading the Sponsors comment, given my own interpretation, I agree that this is not an issue
c4-judge
commented
1 year ago GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L392
Vulnerability details
Impact
An escrowed token's rights can not be altered once it has been placed in escrow.
When a user creates a delegate token and principal token, they set the rights. Rights such as
""andflashloangrant the ability to use theflashloanfunction. If the delegate token owner initially escrows the token with other rights, for example,governanceand later decides to unlock the ability to borrow the token for a single transaction, he can not do that.The owner has to wait for the token to expire and then to create a new escrow with different rights, which is an unlikely behavior.
Tools Used
Mannual review
Recommended Mitigation Steps
Add possibility delegate token owner to change rights to
""orflashloanwhenever he want.Assessed type
Other