Closed sherlock-admin2 closed 2 months ago
There is a checkpoints value used, not valid
1 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid, voting power is calculated based on checkpoints, which will make flash loan attack not possible (as it will set the checkpoint balance to 0 after withdrawal)
beWater0given
high
The vote power is vulnerable to flash loan attack
Summary
Attackers can acquire substantial voting power through the use of flash loans.
Vulnerability Detail
The
ZivoeRewards
contract grants vote power based solely on the amount of staked tokens, disregarding the duration of the stake. Additionally, the immediate withdrawal capability after staking (without any lock period) facilitates this exploit.Attack vector:
stake()
to stake these tokens, which in turn grants them vote power.withdraw()
to unstake tokens and repay the flash loan.Impact
Vote manipulation.
Code Snippet
https://github.com/sherlock-audit/2024-03-zivoe/blob/d4111645b19a1ad3ccc899bea073b6f19be04ccd/zivoe-core-foundry/src/ZivoeRewards.sol#L253
https://github.com/sherlock-audit/2024-03-zivoe/blob/d4111645b19a1ad3ccc899bea073b6f19be04ccd/zivoe-core-foundry/src/ZivoeRewards.sol#L299
Tool used
Manual Review
Recommendation
Implement a locking period for staked tokens.