3.2 Revisited Delegation Logic in TokenSaleDistributor
ID: PVE-002
Severity: Undetermined
Likelihood: N/A
Impact: N/A
Target: TokenSaleDistributor
Category: Coding Practices []
CWE subcategory: CWE-1126 []
Description
As mentioned in Section 3.1, the PopToken contract is enhanced with voting support so that it can be used to cast and record the votes. The related vesting contract is also enhanced with the voting support. However, our analysis shows the vesting contract can be improved in better handling vote delegation scenarios.
In the following, we show the implementation of the related setAllocations() routine. It is an admin function that can be used to set the amount of purchased tokens per user. However, once the amount of purchased tokens is set, the last statement _moveDelegates(address(0), delegates[ recipients[i]], amounts[i]) (line 360) aims to assign the vote weight (at the amount of purchased tokens). However, the weight assignment will be a no-op if the recipient has no delegate configured. In other words, the design needs to be revisited to ensure that the delegate weight is supposed to be given to the recipient, if the recipient has no delegate configured. Note this design choice may affect a number of routines, including setAllocations(), resetAllocationsByUser(), and claim().
Recommendation
The issue has been fixed by this commit: ec1c148.
Last updated