Closed sherlock-admin2 closed 9 months ago
Invalid. The voting adaptor has no voting power itself. It is delegate-called from escrow contracts.
Invalid, the adaptor itself has no voting power - it’s delegate-called by vesting escrows with voting power. If recipient or any user has tokens outside of vested tokens, then they can vote no issue, so it does not matter if addresses can call delegate, vote, or voteWithReason through it.
Additionally, this has the exact same designs and intentions as the lido escrow contract as seen here, so no issue here.
John_Femi
medium
Anyone can cast a vote through the Voting Adaptor
Summary
Only escrow recipients and factory owners should be allowed to vote in the
OZVotingAdaptor
contract.Vulnerability Detail
There is no access control in the vote function, but we see that in the
vestingEscrow
contract, we want only the recipient of the escrow to call thevote
function, which is quite unnecessary if it can be circumvented by calling the vote from the adaptor directly.Impact
lack of incentive to use the escrow if voting can be done outside an escrow contract without issues
Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/adaptors/OZVotingAdaptor.sol#L63
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/adaptors/OZVotingAdaptor.sol#L70
Tool used
Manual Review
Recommendation
Add access control to the
vote
andvoteWithReason
functions