Revolution Protocol - AkshaySrivastav's results

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/CultureIndex.sol#L226-L234

Vulnerability details

Impact

In CultureIndex while creating a new piece it's quorum votes are decided based upon the circulation supply of governance tokens at that moment.

    function createPiece(
        ArtPieceMetadata calldata metadata,
        CreatorBps[] calldata creatorArray
    ) public returns (uint256) {
        ...
        newPiece.pieceId = pieceId;
        newPiece.totalVotesSupply = _calculateVoteWeight(
            erc20VotingToken.totalSupply(),
            erc721VotingToken.totalSupply()
        );
        newPiece.totalERC20Supply = erc20VotingToken.totalSupply();
        newPiece.metadata = metadata;
        newPiece.sponsor = msg.sender;
        newPiece.creationBlock = block.number;
        newPiece.quorumVotes = (quorumVotesBPS * newPiece.totalVotesSupply) / 10_000;   // <------
        ...
    }

Consider this scenario:

1. At the initial phase of Revolution protocol when erc20VotingToken supply and erc721VotingToken supply will be 0, an attacker creates large number of pieces.
2. All these pieces will have 0 as ArtPiece.quorumVotes value. Let's call these as null art pieces.
3. Interesting things to note here, due to this condition no user ever will be able to vote on any of these null pieces.

Now there could be two sub-scenarios.

Scenario A: No other pieces get listed on protocol

3. The admin calls unpause.
4. As per the current design of MaxHeap, any one these null voted tokens will be a top voted piece (since all piece has 0 votes).
5. In the admin's unpause call an auction will be created for the top voted null art piece.

Scenario B: Some erc20 governance token supply gets released into market, other valid art pieces gets created and gets auctioned successfully.

3. After a while the MaxHeap contains no valid art pieces, as all valid ones gets auctioned.
4. In the subsequent settleCurrentAndCreateNewAuction call, the last valid piece's auction gets settled and new auction gets created for any one of the null pieces (MaxHeap will return any one null piece as the top voted piece).

In both of the scenarios an auction can be created for an art piece with 0 votes. This happened even when it was not possible to vote for any of those null tokens, i.e. voting was prohibited but auctioning was allowed.

Proof of Concept

Provided above

Tools Used

Manual review

Recommended Mitigation Steps

In CultureIndex.dropTopVotedPiece add this statement: require(totalVoteWeights[piece.pieceId] != 0);

In CultureIndex.createPiece add this statement: require(newPiece.quorumVotes != 0);

Assessed type

Context