Voter.replaceFactory() and Voter.addFactory() functions are broken.
Summary
The Voter.replaceFactory() and Voter.addFactory() functions are broken due to invalid validation.
Vulnerability Detail
In the addFactory() function, the line require(!isFactory[_pairFactory], 'factory true'); is missing.
In the replaceFactory() function, the isFactory and isGaugeFactory checks are incorrect:
require(isFactory[_pairFactory], 'factory false'); // <=== should be !isFactory
require(isGaugeFactory[_gaugeFactory], 'g.fact false'); // <=== should be !isGaugeFactory
These issues lead to the invariant being broken, allowing multiple instances of a factory or gauge to be pushed to the factories and gaugeFactories arrays.
Impact
Broken code. DoS when calling Voter.createGauge().
eeyore
Medium
Voter.replaceFactory()
andVoter.addFactory()
functions are broken.Summary
The
Voter.replaceFactory()
andVoter.addFactory()
functions are broken due to invalid validation.Vulnerability Detail
addFactory()
function, the linerequire(!isFactory[_pairFactory], 'factory true');
is missing.replaceFactory()
function, theisFactory
andisGaugeFactory
checks are incorrect:These issues lead to the invariant being broken, allowing multiple instances of a factory or gauge to be pushed to the
factories
andgaugeFactories
arrays.Impact
Broken code. DoS when calling
Voter.createGauge()
.Code Snippet
https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/Voter.sol#L155-L185
Tool used
Manual Review
Recommendation
require(!isFactory[_pairFactory], 'factory true');
validation to theaddFactory()
function.replaceFactory()
function: