Reset causes all state changes in the current epoch to be erased or rollback
Summary
Any state changes or activities before the reset in the current epoch will be lost, leading to a loss of power tokens for the affected users after a result.
Vulnerability Detail
When the zero token holders reset to power token holders, a new PowerToken contract will be deployed, and the bootstrapEpoch_ variable at Line 106 below will be initialized to the previous epoch (current epoch - 1).
Assume that on Epoch 99 (Voting), Alice and Bob do not hold any Power Token (balance = 0).
Assume that during Epoch 100 (Transfer Epoch), the following action takes place:
On Day 31, Alice buys 100,000 Power Tokens from the auction. Alice's balance = 100,000
On Day 38, Bob, an institutional client, received 500,000 Power Tokens from another institutional client (Charles) due to an off-chain deal or agreement. Bob's balance = 500,000
On the last day (Day 44) of the Transfer Epoch, the zero holders vote and execute a Reset to reset the Standard Governor, Emergency Governor, and Power Token to the Power Token holders.
A new Power Token contract is deployed on Day 44, and the bootstrapped balance is based on the previous epoch (Epoch 99).
However, the issue is that Alice and Bob's balances in the newly deployed Power Token contract will be zero. This is because, in Epoch 99, they do not yet own any Power Token.
Alice and Bob owned 100,000 and 500,000 Power Tokens before the reset. However, they owned none after the reset, which effectively caused them to lose their power tokens.
Alice paid 100,000 M tokens to the protocol during the auction to obtain 100,000 Power Tokens before the reset. The 100,000 M tokens will be distributed to the zero holders, yet she owned nothing after the reset. In a sense, one could think that the zero holders and protocol took Alice's funds and rolled back the state to the previous epoch without refunding Alice, resulting in unfairness and loss of assets for her.
Before the reset, Bob paid 1M USD in exchange for 500,000 Power Tokens from Charles. After the reset, Bob owned nothing, and Charles got back his 500,000 Power Tokens and 1M USD. Another point is that Charles might own a majority share of the zero tokens. Thus, he could be incentivized to trigger a reset to roll back the state after their off-chain transaction is completed.
A zero-threshold proposal can be proposed at any time and immediately executable upon achieving the required threshold. Thus, the bootstrapped balance should be based on the state in the current epoch before the reset is executed instead of the previous epoch. Otherwise, any state changes or activities before the reset in the current epoch will be lost. Many important on-chain or off-chain activities can happen in the current epoch. Thus, it is important to ensure that those activities and state changes are not lost.
xiaoming90
high
Reset causes all state changes in the current epoch to be erased or rollback
Summary
Any state changes or activities before the reset in the current epoch will be lost, leading to a loss of power tokens for the affected users after a result.
Vulnerability Detail
When the zero token holders reset to power token holders, a new
PowerToken
contract will be deployed, and thebootstrapEpoch_
variable at Line 106 below will be initialized to the previous epoch (current epoch - 1).https://github.com/sherlock-audit/2023-10-mzero/blob/main/ttg/src/PowerToken.sol#L106
Assume that on Epoch 99 (Voting), Alice and Bob do not hold any Power Token (balance = 0).
Assume that during Epoch 100 (Transfer Epoch), the following action takes place:
On the last day (Day 44) of the Transfer Epoch, the zero holders vote and execute a
Reset
to reset the Standard Governor, Emergency Governor, and Power Token to the Power Token holders.A new Power Token contract is deployed on Day 44, and the bootstrapped balance is based on the previous epoch (Epoch 99).
However, the issue is that Alice and Bob's balances in the newly deployed Power Token contract will be zero. This is because, in Epoch 99, they do not yet own any Power Token.
Alice and Bob owned 100,000 and 500,000 Power Tokens before the reset. However, they owned none after the reset, which effectively caused them to lose their power tokens.
Alice paid 100,000 M tokens to the protocol during the auction to obtain 100,000 Power Tokens before the reset. The 100,000 M tokens will be distributed to the zero holders, yet she owned nothing after the reset. In a sense, one could think that the zero holders and protocol took Alice's funds and rolled back the state to the previous epoch without refunding Alice, resulting in unfairness and loss of assets for her.
Before the reset, Bob paid 1M USD in exchange for 500,000 Power Tokens from Charles. After the reset, Bob owned nothing, and Charles got back his 500,000 Power Tokens and 1M USD. Another point is that Charles might own a majority share of the zero tokens. Thus, he could be incentivized to trigger a reset to roll back the state after their off-chain transaction is completed.
Impact
Loss of power tokens for the affected users.
Code Snippet
https://github.com/sherlock-audit/2023-10-mzero/blob/main/ttg/src/PowerToken.sol#L106
Tool used
Manual Review
Recommendation
A zero-threshold proposal can be proposed at any time and immediately executable upon achieving the required threshold. Thus, the bootstrapped balance should be based on the state in the current epoch before the reset is executed instead of the previous epoch. Otherwise, any state changes or activities before the reset in the current epoch will be lost. Many important on-chain or off-chain activities can happen in the current epoch. Thus, it is important to ensure that those activities and state changes are not lost.