Description

The Voter and VotingEscrow contracts allow the privileged accounts, minter and agency respectively, to disrupt the business logic if used with malice.

A malicious minter can add a malicious token to the Voter contract, which can revert the entire checkpoint and/or distribution process. This prevents users from receiving their share of collected fees.

A malicious agency can execute the emergency withdrawal mechanism at the VotingEscrow contract. This mechanism also allows an agency to withdraw the locked asset to themselves, not to the user who deposited the asset.

Impact

The Voter and VotingEscrow contracts can be disrupted in the case where the privileged accounts are exploited with malice (e.g., the malicious actor compromises those privileged accounts). Specifically, a minter in the Voter contract can halt the distribution process, and an agency in the VotingEscrow contract can drain the locked asset.

Recommendations

Consider reducing the privileged features. For instance, the privilege of an agency in the VotingEscrow contract can be reduced by modifying the emergency withdrawal function to only withdraw the asset to the owner of the lock. Also, consider implementing the multi-signature mechanism on the privileged account and adopting the time-lock mechanism in order to minimize the risk of private-key compromise.

Remediation

This issue has been acknowledged by Familia Labs Ltd.. Familia Labs Ltd. stated they plan to introduce a multi-signature wallet contract with a time-lock for privileged accounts.