search

sherlock-audit / 2023-10-mzero-judging

3 stars 2 forks source link

xiaoming90 - Reset causes all state changes in the current epoch to be erased or rollback #56

Closed sherlock-admin2 closed 5 months ago

sherlock-admin2 commented 5 months ago

xiaoming90

high

Reset causes all state changes in the current epoch to be erased or rollback

Summary

Any state changes or activities before the reset in the current epoch will be lost, leading to a loss of power tokens for the affected users after a result.

Vulnerability Detail

When the zero token holders reset to power token holders, a new PowerToken contract will be deployed, and the bootstrapEpoch_ variable at Line 106 below will be initialized to the previous epoch (current epoch - 1).

https://github.com/sherlock-audit/2023-10-mzero/blob/main/ttg/src/PowerToken.sol#L106

File: PowerToken.sol
095:     constructor(
096:         address bootstrapToken_,
097:         address standardGovernor_,
098:         address cashToken_,
099:         address vault_
100:     ) EpochBasedInflationaryVoteToken("Power Token", "POWER", 0, ONE / 10) {
101:         if ((bootstrapToken = bootstrapToken_) == address(0)) revert InvalidBootstrapTokenAddress();
102:         if ((standardGovernor = standardGovernor_) == address(0)) revert InvalidStandardGovernorAddress();
103:         if ((_nextCashToken = cashToken_) == address(0)) revert InvalidCashTokenAddress();
104:         if ((vault = vault_) == address(0)) revert InvalidVaultAddress();
105: 
106:         uint16 bootstrapEpoch_ = bootstrapEpoch = (_clock() - 1);
..SNIP..

Assume that on Epoch 99 (Voting), Alice and Bob do not hold any Power Token (balance = 0).

Assume that during Epoch 100 (Transfer Epoch), the following action takes place:

On the last day (Day 44) of the Transfer Epoch, the zero holders vote and execute a Reset to reset the Standard Governor, Emergency Governor, and Power Token to the Power Token holders.

Bootstrap

A new Power Token contract is deployed on Day 44, and the bootstrapped balance is based on the previous epoch (Epoch 99).

However, the issue is that Alice and Bob's balances in the newly deployed Power Token contract will be zero. This is because, in Epoch 99, they do not yet own any Power Token.

Alice and Bob owned 100,000 and 500,000 Power Tokens before the reset. However, they owned none after the reset, which effectively caused them to lose their power tokens.

Alice paid 100,000 M tokens to the protocol during the auction to obtain 100,000 Power Tokens before the reset. The 100,000 M tokens will be distributed to the zero holders, yet she owned nothing after the reset. In a sense, one could think that the zero holders and protocol took Alice's funds and rolled back the state to the previous epoch without refunding Alice, resulting in unfairness and loss of assets for her.

Before the reset, Bob paid 1M USD in exchange for 500,000 Power Tokens from Charles. After the reset, Bob owned nothing, and Charles got back his 500,000 Power Tokens and 1M USD. Another point is that Charles might own a majority share of the zero tokens. Thus, he could be incentivized to trigger a reset to roll back the state after their off-chain transaction is completed.

Impact

Loss of power tokens for the affected users.

Code Snippet

https://github.com/sherlock-audit/2023-10-mzero/blob/main/ttg/src/PowerToken.sol#L106

Tool used

Manual Review

Recommendation

A zero-threshold proposal can be proposed at any time and immediately executable upon achieving the required threshold. Thus, the bootstrapped balance should be based on the state in the current epoch before the reset is executed instead of the previous epoch. Otherwise, any state changes or activities before the reset in the current epoch will be lost. Many important on-chain or off-chain activities can happen in the current epoch. Thus, it is important to ensure that those activities and state changes are not lost.

nevillehuang commented 5 months ago

Invalid, known issue as design decision, see scenario 1 highlighted in Chain security M-06