Open sherlock-admin2 opened 10 months ago
Hello,
Thanks a lot for your attention.
After an in-depth review, we have to consider your issue as Confirmed. We will add a check on the values contained in the 3 arrays to ensure duplicates are taken away before starting the process.
Regards, Convergence Team
Hello dear auditor,
We performed the correction of this issue.
We used the trick you give us to check the duplicates in the arrays of token ID.
You can find the correction here :
https://github.com/Cvg-Finance/sherlock-cvg/pull/4#discussion_r1457545377 https://github.com/Cvg-Finance/sherlock-cvg/pull/4#discussion_r1457546051 https://github.com/Cvg-Finance/sherlock-cvg/pull/4#discussion_r1457546527
Fix looks good. Arrays that have duplicates or that aren't ordered will cause the function to revert
cergyk
high
LockingPositionDelegate::manageOwnedAndDelegated unchecked duplicate tokenId allow metaGovernance manipulation
Summary
A malicious user can multiply his share of meta governance delegation for a tokenId by adding that token multiple times when calling
manageOwnedAndDelegated
Vulnerability Detail
Without checks to prevent the addition of duplicate token IDs, a user can artificially inflate their voting power and their metaGovernance delegations.
A malicious user can add the same tokenId multiple times, and thus multiply his own share of meta governance delegation with regards to that tokenId.
Scenario:
manageOwnedAndDelegated
and adds the sametokenId
10 times, each time allocating 10% of the voting power to herself.tokenId
, fetched by callingmgCvgVotingPowerPerAddress
, harming Bob and Alice metaGovernance voting power.Impact
The lack of duplicate checks can be exploited by a malicious user to manipulate the metaGovernance system, allowing her to gain illegitimate voting power (up to 100%) on a delegated tokenId, harming the delegator and the other delegations of the same
tokenId
.Code Snippet
https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Locking/LockingPositionDelegate.sol#L330
PoC
Add in balance-delegation.spec.ts:
Tool used
Recommendation
Ensuring the array of token IDs is sorted and contains no duplicates. This can be achieved by verifying that each tokenId in the array is strictly greater than the previous one, it ensures uniqueness without additional data structures.