This PR fixes a permanent freezing of funds vulnerability in the Locking Vault by preventing delegation to address(0) in the changeDelegation function. This is required because the changeDelegation function will reduce the voting power of the user's current delegate before adding it to the new delegate, but the deposit function treats delegation to address(0) as a first time deposit and will only increase the voting power of the firstDelegation by the newly deposited amount, without re-assigning existing voting power.
As an example:
Victim has a deposit of 100,000 ELFI and has delegated to themselves.
first time deposit so Victim.delegate = Victim, Victim.amount += 100,000
Attacker deposits 10,000 ELFI by delegating to themselves.
first time deposit so Attacker.delegate = Attacker, Attacker.amount += 10,000
This PR fixes a permanent freezing of funds vulnerability in the Locking Vault by preventing delegation to
address(0)
in thechangeDelegation
function. This is required because thechangeDelegation
function will reduce the voting power of the user's current delegate before adding it to the new delegate, but thedeposit
function treats delegation toaddress(0)
as a first time deposit and will only increase the voting power of thefirstDelegation
by the newly deposited amount, without re-assigning existing voting power.As an example:
Victim.delegate = Victim
,Victim.amount += 100,000
Attacker.delegate = Attacker
,Attacker.amount += 10,000
address(0)
.Attacker.amount -= 10,000
,Attacker.delegate = address(0)
,address(0).amount += 10,000
Attacker.delegate = Victim
,Victim.amount += 0
address(0)
, this backs out 10,000 ELFI voting power and results in only 90,000 ELFI left.Victim.amount -= 10,000
,Attacker.delegate = address(0)
,address(0).amount += 10,000