There is no method of returning votes in case of cancellation, resulting in loss of funds
Summary
There is no method for users who have voted to withdraw their votes (tokens) in case of voting cancellation in collectionShutdown because reclaimVotes becomes unavailable after cancellation, which leads to loss of funds.
Vulnerability Detail
In the cancel() function, the _collectionParams[_collection] structure is deleted. Once this happens, the reclaimVote function cannot be used because it uses the _collectionParams[_collection] structure, which will be empty, and, as a result, this will lead to an overflow in the subtraction line:
(params.shutdownVotes = 0, userVotes != 0 → reclaimVote will revert)
The case where users who voted for the liquidation of the collection want to get their money back is the most common user behavior. However, this case was not tested in the tests, and, as shown above, does not work at all, which means the funds of those who voted will be locked.
Scenario 1:
Users voted
cancel() was called
Users cannot retrieve their votes (tokens)
Scenario 2:
Users voted
cancel() was called
Users cannot retrieve their votes (tokens)
start() was called
New users voted
ShutdownVotes increased and now previous users can withdraw their funds, but new ones lost theirs
Scenario 3:
All collection holders voted
cancel() was called
All user funds were lost
Impact
Locking of user funds. This is a critical vulnerability with 100 percent probability.
Cuddly Ocean Gibbon
High
There is no method of returning votes in case of cancellation, resulting in loss of funds
Summary
There is no method for users who have voted to withdraw their votes (tokens) in case of voting cancellation in
collectionShutdown
becausereclaimVotes
becomes unavailable after cancellation, which leads to loss of funds.Vulnerability Detail
In the
cancel()
function, the_collectionParams[_collection]
structure is deleted. Once this happens, thereclaimVote
function cannot be used because it uses the_collectionParams[_collection]
structure, which will be empty, and, as a result, this will lead to an overflow in the subtraction line:https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/utils/CollectionShutdown.sol#L369
(
params.shutdownVotes = 0
,userVotes != 0
→reclaimVote
will revert)The case where users who voted for the liquidation of the collection want to get their money back is the most common user behavior. However, this case was not tested in the tests, and, as shown above, does not work at all, which means the funds of those who voted will be locked.
Scenario 1:
cancel()
was calledScenario 2:
cancel()
was calledstart()
was calledShutdownVotes
increased and now previous users can withdraw their funds, but new ones lost theirsScenario 3:
cancel()
was calledImpact
Locking of user funds. This is a critical vulnerability with 100 percent probability.
Code Snippet
https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/utils/CollectionShutdown.sol#L390-L405
https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/utils/CollectionShutdown.sol#L356-L377
Tool used
Manual Review
Recommendation
Add functionality to withdraw votes in case of voting cancellation.