search

sherlock-audit / 2024-01-rio-vesting-escrow-judging

3 stars 2 forks source link

John_Femi - Anyone can cast a vote through the Voting Adaptor #89

Closed sherlock-admin2 closed 9 months ago

sherlock-admin2 commented 9 months ago

John_Femi

medium

Anyone can cast a vote through the Voting Adaptor

Summary

Only escrow recipients and factory owners should be allowed to vote in the OZVotingAdaptor contract.

Vulnerability Detail

There is no access control in the vote function, but we see that in the vestingEscrow contract, we want only the recipient of the escrow to call the vote function, which is quite unnecessary if it can be circumvented by calling the vote from the adaptor directly.

Impact

lack of incentive to use the escrow if voting can be done outside an escrow contract without issues

Code Snippet

https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/adaptors/OZVotingAdaptor.sol#L63

https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/adaptors/OZVotingAdaptor.sol#L70

Tool used

Manual Review

Recommendation

Add access control to the vote and voteWithReason functions

solimander commented 9 months ago

Invalid. The voting adaptor has no voting power itself. It is delegate-called from escrow contracts.

nevillehuang commented 9 months ago

Invalid, the adaptor itself has no voting power - it’s delegate-called by vesting escrows with voting power. If recipient or any user has tokens outside of vested tokens, then they can vote no issue, so it does not matter if addresses can call delegate, vote, or voteWithReason through it.

Additionally, this has the exact same designs and intentions as the lido escrow contract as seen here, so no issue here.