Closed c4-bot-6 closed 9 months ago
0xSorryNotSorry marked the issue as sufficient quality report
0xSorryNotSorry marked the issue as duplicate of #152
Trumpero changed the severity to QA (Quality Assurance)
Trumpero marked the issue as grade-b
Trumpero marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/tokens/ERC20Gauges.sol#L532-L534
Vulnerability details
Impact
The position of i++ is wrong, which may lead to an infinite loop.
The incrementer is present inside the if statement. Thus if a
userGaugeWeight
has 0 weight, the code will get stuck in an infinite loop.This issue with the FEI contracts was also reported during the MAIA DAO audit here.
_decrementWeightUntilFree
is used intransfer
,transferFrom
and_burn
functions, which can lead to a lot of issues.Proof of Concept
In the above code, when userGaugeWeight == 0, i is not incremented, resulting in an infinite loop. The current protocol does not restrict getUserGaugeWeight[user][gauge] == 0.
Tools Used
Manual Review
Recommended Mitigation Steps
Move the
i++
statement outside theif
statement.Assessed type
Loop