Platform: Code4rena
Start Date: 21/07/2023
Pot Size: $90,500 USDC
Total HM: 8
Participants: 60
Period: 7 days
Judge: 0xean
Total Solo HM: 2
Id: 264
League: ETH
Rank: 19/60
Findings: 1
Award: $589.87
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Anirruth
Also found by: DadeKuma, Matin, MohammedRizwan, bart1e, giovannidisiena, ladboy233, rvierdiiev
589.8716 USDC - $589.87
https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/external/council/CoreVoting.sol#L13 https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/external/council/CoreVoting.sol#L15
The block time related parameters of a proposal become less than what was expected
ArcadeGSCCoreVoting contract inherits from the coreVoting contract and initializes in its constructor. As per documents, the contract coreVoting is out of scope, however as the ArcadeGSCCoreVoting does nothing but initializing that contract, we can conclude that it should be analyzed too. If we look deeper at the Council's coreVoting contract we can see it is written and been audited before the Ethereum merge phase. As stated in the line 13, the calculations with respect to block time is considered with an average block time of 13.3 seconds. Before the merge, the block time had some fluctuations but the mean block time was 13.3 seconds. After the merge, this amount dropped considerably and been set 12 seconds per block..
Considering this fact we can see the actual DAY_IN_BLOCKS becomes 7200. We can derive the preceding calculations:
δ : DAY_IN_BLOCKS difference parameter β : lockDuration difference parameter α : extraVoteTime difference parameter ----------------------------------------- δ = 7200 - 6496 = 704 β = δ * 3 = 2112 α = δ * 5 = 3520
As we can see from the calculations above, the difference in lockDuration and extraVoteTime parameters become more sensible. lockDuration and extraVoteTime difference parameters reach nearly 1/3 and 1/2 of the actual DAY_IN_BLOCKS respectively. This means that the actual DAY_IN_BLOCKS time affects the proposal times by truncating the desired time interval of the aforementioned parameters. Thus, a proposal's lockDuration and extraVoteTime become ~8 and ~12 hours-in-block less than the expected time respectively.
Manual Review
Consider modifying the DAY_IN_BLOCK parameter and reset it with respect to the POS Ethereum block time
Math
#0 - c4-pre-sort
2023-07-29T13:47:49Z
141345 marked the issue as duplicate of #56
#1 - c4-judge
2023-08-11T16:35:06Z
0xean marked the issue as satisfactory
#2 - c4-judge
2023-08-11T16:35:22Z
0xean changed the severity to 2 (Med Risk)
#3 - c4-judge
2023-08-14T16:26:09Z
0xean changed the severity to QA (Quality Assurance)
#4 - c4-judge
2023-08-14T16:28:43Z
0xean marked the issue as grade-c
#5 - c4-judge
2023-08-16T12:34:13Z
This previously downgraded issue has been upgraded by 0xean
#6 - captainmangoC4
2023-08-16T17:02:48Z
Removing stray "unsatisfactory" label per judge's request
#7 - c4-judge
2023-08-16T20:17:01Z
0xean marked the issue as not a duplicate
#8 - c4-judge
2023-08-16T20:17:26Z
0xean marked the issue as duplicate of #56