Skinny Shadow Sparrow - Unauthorized Delegation of Voting Power Leading to Loss of Token Control

[sherlock-admin4]

Skinny Shadow Sparrow

High

Unauthorized Delegation of Voting Power Leading to Loss of Token Control

Summary

Alice deposits her governance tokens into a pool contract.
The pool contract deploys a surrogate contract for Alice, which holds Alice's tokens and delegates the voting power to Bob.
Now Bob can use Alice's voting power in governance, as the surrogate has delegated 100% of Alice's tokens to Bob.
However, if Bob creates another surrogate contract and delegates Alice's voting power to someone else (e.g., Alex), Alice's tokens are still tied to Bob's surrogate contract. This means that if Alice decides to reclaim her tokens, Bob (or Alex) would still have the voting power, and Alice can't reclaim her tokens unless Bob revokes his delegation.
Issue: Bob Can Delegate to Someone Else Without Alice's Knowledge
The problem here is that Bob can effectively transfer voting power by creating a new surrogate contract and delegating Alice's tokens to someone else (e.g., Alex), but there is no tracking mechanism that ties Bob's delegatee (or the chain of delegations) back to Alice's tokens. This means:

Alice has no direct way to reclaim her voting power unless Bob explicitly revokes the delegation.
If Alice tries to reclaim her tokens, Bob still holds the voting power via the surrogate, but the tokens are locked up until Bob either revokes the delegation or returns the power to Alice.
Solution to the Problem:
You need to track delegations and ensure that Alice can reclaim her tokens regardless of whether Bob delegates them further. This can be done by recording delegatee chains and preventing Bob from arbitrarily transferring Alice's voting power to someone else.

Impact

Depositor not being able to withdraw his funds

Code Snippet

Tool used

Manual Review

Recommendation

You should maintain a delegation chain for each token holder (i.e., Alice) in the surrogate contract. This chain can track where Alice's voting power is being delegated, ensuring it’s clear who has the power at any given time.
Reclaim Tokens with Delegation Reversal:

When Alice attempts to reclaim her tokens, the system should check the current delegatee (Bob or anyone else) and ensure that the tokens are either returned directly to Alice or Bob (whoever has the final delegation).
Prevent Bob from Transferring Voting Power Freely:

Bob should not be allowed to freely delegate voting power without updating the surrogate contract's records. Instead, Bob’s ability to delegate the power should be constrained by the contract, so Alice can always reclaim her tokens from the surrogate once they are no longer delegated.