Absence of validation for input parameters

Summary

Absence of validation for input parameters in OZVotingAdaptor.sol#delegate.

Vulnerability Detail

    /// @notice Delegate votes.
    /// @param params The ABI-encoded delegatee address.
    function delegate(bytes calldata params) external {
        IVotes(votingToken).delegate(abi.decode(params, (address)));
    }

If the input data params for the delegate function does not have the expected size of 20 bytes, a data decoding error will occur.

Impact

Incorrect data decoding and contract refusal to process requests.

Code Snippet

https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/2d14c2b84b69c53a45c81aa4f907af9617f9a94f/rio-vesting-escrow/src/adaptors/OZVotingAdaptor.sol#L57

Tool used

Manual Review

Recommendation

Add a length check for input data to avoid potential errors in the contract's operation.

function delegate(bytes calldata params) external {
    if (params.length != 20) revert ("Invalid parameter length");

    IVotes(votingToken).delegate(abi.decode(params, (address)));
}

nevillehuang commented 9 months ago

Invalid, this would constitute user input error not valid based on sherlock rules

User input validation: User input validation to prevent user mistakes is not considered a valid issue.

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

pratraut commented:

'invalid as delegate of votes is supposed to be happened via escrow contract'

sherlock-audit / 2024-01-rio-vesting-escrow-judging

millietez - Absence of validation for input parameters #106