search

sherlock-audit / 2024-06-velocimeter-judging

11 stars 7 forks source link

pseudoArtist - depositFor function should be restricted to approved NFT types. #540

Closed sherlock-admin4 closed 3 months ago

sherlock-admin4 commented 3 months ago

pseudoArtist

Medium

depositFor function should be restricted to approved NFT types.

Summary

As the title suggests, depositFor function should be restricted to approved NFT types.

Vulnerability Detail

The depositFor function was found to accept NFT of all types (normal, locked, managed) without restriction.

function depositFor(uint256 _tokenId, uint256 _value) external nonReentrant {
  LockedBalance memory oldLocked = _locked[_tokenId];
  require(_value > 0, "VotingEscrow: zero amount");
  require(oldLocked.amount > 0, "VotingEscrow: no existing lock found");
  require(oldLocked.end > block.timestamp, "VotingEscrow: cannot add to expired lock, withdraw");
  _depositFor(_tokenId, _value, 0, oldLocked, DepositType.DEPOSIT_FOR_TYPE);
}

Users should not be allowed to increase the voting power of a locked NFT by calling the depositFor function as locked NFTs are not supposed to vote. Thus, any increase in the voting balance of locked NFTs will not increase the gauge weight, and as a consequence, the influence and yield of the deposited FLOW will be diminished

Impact

Users should not be allowed to increase the voting power of a locked NFT by calling the depositFor function as locked NFTs are not supposed to vote

Code Snippet

https://github.com/sherlock-audit/2024-06-velocimeter-NishithPat/blob/9aef376313ac3d154bf93cba633c7ae33e7e562f/v4-contracts/contracts/VotingEscrow.sol#L826

Tool used

Manual Review

Recommendation

Duplicate of #558