search

sherlock-audit / 2024-01-rio-vesting-escrow-judging

3 stars 2 forks source link

sonny2k - Missing validation if votingToken in OZVotingAdaptor is the same as the token specified by VestingEscrowFactory #114

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 9 months ago

sonny2k

high

Missing validation if votingToken in OZVotingAdaptor is the same as the token specified by VestingEscrowFactory

Summary

When updating a new voting adaptor, factory owner may choose an OZVotingAdaptor with a different token from the token defined originally in VestingEscrowFactory

Vulnerability Detail

There is no check if the token from these 2 contracts are the same

Impact

User's voting power can be larger than usual if token from VestingEscrowFactory has less value on market than the token in OZVotingAdaptor

Code Snippet

https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrowFactory.sol#L97

Tool used

Manual Review

Recommendation

Perform a check on the OZVotingAdaptor's token before changing it

nevillehuang commented 9 months ago

Invalid, this would constitute user input error not valid based on sherlock rules, so this is purely a sanity check

  1. User input validation: User input validation to prevent user mistakes is not considered a valid issue.