Tiny Gingerbread Tarantula
Medium
The veNFTVault.sol contract interacted with other external contracts that is out of the audit scope, while missing some important checks that might cause unexpected behaviour.
The veNFTVault contract contains multiple functions that interact with an external voter contract using the attached_NFTID. However, when the NFT is withdrawn via the withdraw() function, the attached_NFTID is deleted (set to 0) but no validation is performed in subsequent calls that use this ID.
The affected functions are:
reset() vote() claimBribes() extendLock() poke()
No response
No response
No response
Calling these functions with an invalid NFT ID (0) could lead to:
- Silent failures where the voter contract accepts the zero ID but doesn't perform the intended action
- Reverts if the voter contract has zero-check validations
- Unexpected behavior if the zero ID is actually valid in the voter contract
- Potential cross-function reentrancy vectors if the voter contract's behavior with ID 0 is exploitable
- User deposits NFT ID 5 into the vault
- User withdraws the NFT, setting attached_NFTID to 0
- Factory calls vote() or any other voter-related function
- The function proceeds to call the voter contract with ID 0, which may cause unexpected behavior
Add a validation check in all functions that use attached_NFTID:
function vote(address[] calldata _poolVote, uint256[] calldata _weights) external onlyFactory {
require(attached_NFTID != 0, "NFT not attached");
voterContract voter = voterContract(getVoterContract_veNFT());
voter.vote(attached_NFTID, _poolVote, _weights);
}