search

sherlock-audit / 2024-03-zivoe-judging

1 stars 0 forks source link

beWater0given - The vote power is vulnerable to flash loan attack #133

Closed sherlock-admin2 closed 2 months ago

sherlock-admin2 commented 2 months ago

beWater0given

high

The vote power is vulnerable to flash loan attack

Summary

Attackers can acquire substantial voting power through the use of flash loans.

Vulnerability Detail

The ZivoeRewards contract grants vote power based solely on the amount of staked tokens, disregarding the duration of the stake. Additionally, the immediate withdrawal capability after staking (without any lock period) facilitates this exploit.

Attack vector:

  1. The attacker obtains a large quantity of tokens through a flash loan.
  2. Call stake() to stake these tokens, which in turn grants them vote power.
  3. Vote for a proposal.
  4. Call withdraw() to unstake tokens and repay the flash loan.

Impact

Vote manipulation.

Code Snippet

https://github.com/sherlock-audit/2024-03-zivoe/blob/d4111645b19a1ad3ccc899bea073b6f19be04ccd/zivoe-core-foundry/src/ZivoeRewards.sol#L253

https://github.com/sherlock-audit/2024-03-zivoe/blob/d4111645b19a1ad3ccc899bea073b6f19be04ccd/zivoe-core-foundry/src/ZivoeRewards.sol#L299

Tool used

Manual Review

Recommendation

Implement a locking period for staked tokens.

pseudonaut commented 2 months ago

There is a checkpoints value used, not valid

sherlock-admin3 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, voting power is calculated based on checkpoints, which will make flash loan attack not possible (as it will set the checkpoint balance to 0 after withdrawal)