The RWAVotingEscrow::merge function will result in loss of funds and corrupt the total voting power entry in the contract if the input tokenId and intoTokenId match. Specifically, the function will calculate the new combinedLockBalance as double the original, the remainingVestingDuration the same as the original, and will ultimately burn the token with the inflated entries thereby causing the tokens associated with it to become irredeemable.
Impact:
Merging of a token with itself will result in loss of funds as well as an inflated _lockedBalance and potentially non-zero _remainingVestingDuration which would result in this exhibit being medium in severity.
After re-evaluation, we identified that it is possible for the contract's $._totalVotingPowerCheckpoints entry to be manipulated in this way and thus cause the governance system to become inaccessible thereby rendering this to be upgraded to major.
RWV-04M: Inexistent Prevention of Self-Merging
Description:
The
RWAVotingEscrow::merge
function will result in loss of funds and corrupt the total voting power entry in the contract if the inputtokenId
andintoTokenId
match. Specifically, the function will calculate the newcombinedLockBalance
as double the original, theremainingVestingDuration
the same as the original, and will ultimately burn the token with the inflated entries thereby causing the tokens associated with it to become irredeemable.Impact:
Merging of a token with itself will result in loss of funds as well as an inflated
_lockedBalance
and potentially non-zero_remainingVestingDuration
which would result in this exhibit being medium in severity.After re-evaluation, we identified that it is possible for the contract's
$._totalVotingPowerCheckpoints
entry to be manipulated in this way and thus cause the governance system to become inaccessible thereby rendering this to be upgraded to major.Example:
Recommendation:
We advise the code to prevent the same
tokenId
from being merged with itself by ensuring that thetokenId
is not equal to theintoTokenId
.