Open c4-bot-4 opened 5 months ago
MarioPoneder marked the issue as primary issue
zjesko (sponsor) confirmed
Voting power is considered an asset and can be lost in this scenario without malicious governance intent or mistake.
MarioPoneder marked the issue as satisfactory
Selected for report due to coded PoC
MarioPoneder marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2024-03-neobase/blob/d6e6127e6763b93c23ee95cdf7622fe950d9ed30/src/GaugeController.sol#L224-L229 https://github.com/code-423n4/2024-03-neobase/blob/d6e6127e6763b93c23ee95cdf7622fe950d9ed30/src/GaugeController.sol#L402
Vulnerability details
Impact
When a gauge that an user has voted for gets removed by the governance, their voting power allocated for that gauge will be lost forever
Proof of Concept
Due to the current way the
GaugeController::vote_for_gauge_weights
function is implemented, whenever a given gauge that users have voted for gets removed, all of the voting powers allocated by those users to that gauge will be permanently lost. The same issue has actually already been reported in this report from the last Code4rena contest of the codebase. And as it can be seen from the following snippet:the recommended fix from that report has actually been implemented. However, there are two other changes there as well. The
isValidGauge
mapping has been replaced with a new one namedgauge_types_
, which practically serves the same purpose as the old one in the context of this snippet. More importantly though, a new require statement has been added, as it can be seen on the last code line of the snippet, that checks whether the gauge type is greater than 0 and reverts elsewise. Since the gauge type for a given gauge address can only be 0 in the case where the gauge does not actually exist (i.e. it has been removed or it was never created in the first place), this means that the implemented fix will no longer work and because of that the issue is once again present in the current implementation of theGaugeController
.The following coded PoC, which is a modification of the one in the above linked report verifies the existence of the issue:
Tools Used
Manual Review
Recommended Mitigation Steps
Remove the additional require statement that checks whether the gauge type for the
_gauge_addr
is different from 0, in order to allow users to remove their votes from removed gauges:Assessed type
Invalid Validation