Skip to content

Latest commit

 

History

History
44 lines (23 loc) · 1.46 KB

033.md

File metadata and controls

44 lines (23 loc) · 1.46 KB

Dry Aqua Sheep

Medium

Buying receipts does not change the veNFT manager, allowing manager to perform unwanted operation

Summary

User that sells receipts to get quick liquidity did not change the manager of the receipts, allowing the seller which assuming has the manager address to perform unauthorized operation.

Root Cause

There is a missing function veNFTAerodrome::changeManager not called LoC to change the manager to the new owner. Hence, the previous manager can perform the actions such as voteMultiple, claimBribesMultiple, resetMultiple, extendMultiple & pokeMultiple in Receipt-veNFT.sol.

https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/buyOrders/buyOrder.sol#L92

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. User A create buyOrder
  2. User B sells his receipt to User A
  3. User B still has the ability to vote for his pool, extend the voting escrow and steal bribes.
  • Side Note: If User B calls changeManager, User A can frontrun that transaction and perform (3)

Impact

The buyer may the privilege of voting and resetting during that epoch, also have bribes stolen.

PoC

No response

Mitigation

Include function changeManager and set it to buyer.