GalloDaSballo
commented
10 months ago I believe they could rescind and create a new version
Interested in what the Sponsor thinks
Closed c4-submissions closed 9 months ago
GalloDaSballo
commented
10 months ago I believe they could rescind and create a new version
Interested in what the Sponsor thinks
0xfoobar
commented
9 months ago This is desired behavior, delegate token owner needs to be assured of what they hold and principal token owner needs to be assured of what they issued
c4-sponsor
commented
9 months ago 0xfoobar (sponsor) disputed
GalloDaSballo
commented
9 months ago After reading the Sponsors comment, given my own interpretation, I agree that this is not an issue
c4-judge
commented
9 months ago GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L392
Vulnerability details
Impact
An escrowed token's rights can not be altered once it has been placed in escrow.
When a user creates a delegate token and principal token, they set the rights. Rights such as
""andflashloangrant the ability to use theflashloanfunction. If the delegate token owner initially escrows the token with other rights, for example,governanceand later decides to unlock the ability to borrow the token for a single transaction, he can not do that.The owner has to wait for the token to expire and then to create a new escrow with different rights, which is an unlikely behavior.
Tools Used
Mannual review
Recommended Mitigation Steps
Add possibility delegate token owner to change rights to
""orflashloanwhenever he want.Assessed type
Other