Voting tokens may be lost when given to non-EOA accounts

[hats-bug-reporter[bot]]

Github username: @Rotcivegaf Twitter username: rotcivegaf Submission hash (on-chain): 0x51626ae62b2b7b8e0c29e25debe0d7fa1492cdf4f517ce9d6b408a0070016b47 Severity: medium

Description: Lines:

• https://github.com/Satsyxbt/Fenix/blob/bfcee140a38b39f0eb34dea6921b3b7d5248df82/contracts/core/VotingEscrowUpgradeable.sol#L420-L435

Description:

When the VotingEscrowUpgradeable contract mint an NFT don't do the onERC721Received check

If a user of the escrow system uses a contract that reject NFT for any reason, no checks are done, and the NFT can be locked forever.

Attack Scenario:

1. Alice create a lock using a contract
2. The VotingEscrowUpgradeable mint an NFT to this contract
3. The alice's contract can should reject the NFT as it cannot handle it
4. The NFT lock in the alice's contract

Recommended Mitigation Steps:

Implement the _checkOnERC721Received in the _mint function

[BohdanHrytsak]

Thank you for the submission.

This issue is related to the code and features of inherited contracts from Thena & Chronos, which makes this OOS submission

[rotcivegaf]

NFTs can be lost then it can be classified as a "loss of funds"

[BohdanHrytsak]

Such a case is only possible due to the negligence of users. Due to the lack of criticality and inheritance from Thena/Chronos, OOS remains