Overt Garnet Dog - MakerDAO allows users to fill in someone's delegate vote address on `selectVoteDelegate`. As a result, the user cannot perform `vote`. #131
As a result, when users perform selectVoteDelegate(user's urn, someone's voteDelegate) transaction which is the "lock" token on VoteDelegate contact it's becoming useless.
Because the user cannot participate in the "vote" / cannot call functions that have "delegate_auth"
PoC
First, add these changes to VoteDelegateMock.sol for the delegate_auth test
Overt Garnet Dog
Low/Info
MakerDAO allows users to fill in someone's delegate vote address on
selectVoteDelegate
. As a result, the user cannot performvote
.Summary
When a users call
LockstakeEngine#selectVoteDelegate
with someone's delegatevote address, it will works.But the user cannot participate in the
vote
, because they are not the delegate of that delegatevote contract address.Root Cause
A variable
delegate
is filled as msg.sender when usercreate
VoteDelegate.And to participate in a vote / call
vote
on aVoteDelegate
contract, it must have access control delegate_auth:While the
LockstakeEngine#selectVoteDelegate
contract allows users to fill in someone'sVoteDelegate
.This is because LockstakeEngine#selectVoteDelegate does not verify that the caller must be a delegate of the
VoteDelegate
address they are filling in.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
As a result, when users perform
selectVoteDelegate(user's urn, someone's voteDelegate)
transaction which is the "lock" token onVoteDelegate
contact it's becoming useless.Because the user cannot participate in the "vote" / cannot call functions that have "delegate_auth"
PoC
First, add these changes to
VoteDelegateMock.sol
for thedelegate_auth
testThen, paste the PoC code below into
LockstakeEngine.t.sol
- run with
forge test --match-test test_wrong_address_voteDelegate_cant_vote
Mitigation
There is a helper function to check the creator or the
delegate
of theVoteDelegate
on theVoteDelegateFactory
contract.So, use that to verify in
LockstakeEngine#selectVoteDelegate
like this: