theweb3mechanic - Malicious attacker can cheat the voting mechanism to sunset the collection #782
Comments
sherlock-admin2
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
theweb3mechanic
Medium
Malicious attacker can cheat the voting mechanism to sunset the collection
Summary
A dishonest party can cheat the voting mechanism to influence the vote when users are trying to sunset a collection
Vulnerability Detail
The protocol leaves a room for users to create and canceling listing at any instant. An attacker can create a malicuous contract that will do the following
CreateListingfrom listing contractCollectionShutdowncontractCancelListingfrom the listing contractImpact
Attacker can influence votes provided that they have enough collection ERC20 token
Code Snippet
https://github.com/sherlock-audit/2024-08-flayer/blob/0ec252cf9ef0f3470191dcf8318f6835f5ef688c/flayer/src/contracts/utils/CollectionShutdown.sol#L135
Tool used
Manual Review
Recommendation
consider setting a cool down time fot which users will be able to cancel, from when the listing was created
The text was updated successfully, but these errors were encountered: