Open hats-bug-reporter[bot] opened 4 months ago
Thank you for the submission.
The submission is valid, the timestamp is not initialized anywhere, which leads to some methods not working as expected (incorrectly)
There is not enough criticality and critical cases to recognize it as valid.
Since this code is inherited and is original from Thena, OOS
According to Hats rules in Fenix Finance competition for Medium severity issue, it says: "Attacks that make essential functionality of the contracts temporarily unusable or inaccessible."
And, the fact that the timestamp
variable of a checkpoint is not initialized will render these main functions (_moveTokenDelegates, _moveAllDelegates) not working as expected (you said above)
_findWhatCheckpointToWrite -> _moveTokenDelegates -> _mint
_findWhatCheckpointToWrite -> _moveTokenDelegates -> _burn
_findWhatCheckpointToWrite -> _moveAllDelegates -> _delegate -> delegate/delegateBySig
getPastVotesIndex -> getPastVotes
The question of whether the issue is valid is not raised, as there is indeed a problem with the timestamp.
It is located in the OOS section as it is inherited from the Thena/Chronos code and is not included in the scope.
The issue itself does not lead to critical consequences that are described in the scopes to include it in the scopes, so it remains OOS
Github username: -- Twitter username: -- Submission hash (on-chain): 0xd51491b4ee1eb4d153c1d3bc1742a54ae571356fd6346f437ff4d7f76d46bc86 Severity: medium
Description: Context: VotingEscrowUpgradeable.sol#L1251, VotingEscrowUpgradeable.sol#L1163, VotingEscrowUpgradeable.sol#L56
Description\ A checkpoint contains a
timestamp
variable which stores the block number the checkpoint is created.Attack Scenario\ However, it was found that the
timestamp
variable of a checkpoint was not initialized anywhere in the codebase. Therefore, any function that relies on the fromBlock of a checkpoint will break.The
VotingEscrowUpgradeable._findWhatCheckpointToWrite
andVotingEscrowUpgradeable.getPastVotesIndex
functions were found to rely on thetimestamp
variable of a checkpoint for computation. The following is a list of functions that calls these two affected functions.Instance 1 -
VotingEscrowUpgradeable._findWhatCheckpointToWrite
functionThe
VotingEscrowUpgradeable._findWhatCheckpointToWrite
function verifies if thetimestamp
of the latest checkpoint of an account is equal to the current block number. If true, the function will return the index number of the last checkpoint.As such, this function does not work as intended and will always return the index of a new checkpoint.
Instance 2 -
VotingEscrowUpgradeable.getPastVotesIndex
functionThe
VotingEscrowUpgradeable.getPastVotesIndex
function relies on thetimestamp
of the latest checkpoint for optimization purposes. If the request block number is the most recently updated checkpoint, it will return the latest index immediately and skip the binary search. Since thetimestamp
variable is not populated, the optimization will not work.Recommendation: Initialize the
timestamp
variable of the checkpoint in the codebase.