Back to deadrxsezzz's contests

Ajna Protocol - deadrxsezzz's results

A peer to peer, oracleless, permissionless lending protocol with no governance, accepting both fungible and non fungible tokens as collateral.

General Information

Platform: Code4rena

Start Date: 03/05/2023

Pot Size: $60,500 USDC

Total HM: 25

Participants: 114

Period: 8 days

Judge: Picodes

Total Solo HM: 6

Id: 234

League: ETH

Ajna Protocol

Findings Distribution

Researcher Performance

Rank: 41/114

Findings: 1

Award: $253.66

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAjna Protocol

Findings Information

🌟 Selected for report: rbserver

Also found by: deadrxsezzz, rvierdiiev

Labels

bug
2 (Med Risk)
satisfactory
duplicate-288

Awards

253.665 USDC - $253.66

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/Funding.sol#L76-#L93

Vulnerability details

Impact

Users can get more or less voting power than what they should be able to.

Proof of Concept

According to the docs:

Voting power is the minimum of the amount of votes available at a snapshot block 33 blocks prior to voting start, and at the vote starting block.

However, due to the current implementation there are 2 scenarios where the implementation would malfunction and wrong number of votes would be accumulated

Scenario 1

  1. User A has 100 Ajna tokens at the snapshot 33 blocks prior to the voting.
  2. Between the first snapshot block and the vote starting block, the user sends 100 Ajna tokens to another user
  3. At the vote starting block, User A receives their 100 tokens back and votes for said proposal. The user expects to have votes equivalent to 100 Ajna tokens, since the minimum amount of the user balance at the two snapshot blocks is 100 tokens. However due to the following line, the user will have 0 voting power.
voteStartBlock_ = voteStartBlock_ != block.number ? voteStartBlock_ : block.number - 1;

Although the user has had 100 tokens at both the vote starting block and at the 33 blocks prior snapshot block, he has no voting power.

Scenario 2

  1. User A and user B have both 100 Ajna tokens each at the snapshot block 33 blocks prior to the start of the vote starting block
  2. Between the two snapshot blocks, user A spends his 100 Ajna tokens
  3. At the vote starting block user B sends user A 100 Ajna tokens
  4. Then user B proceeds to vote (in the same vote starting block). Because of the same line from above, the 2nd snapshot is considered to be block.number - 1 where user B still had 100 Ajna tokens. Therefore, user B will get voting power for 100 Ajna tokens, although at the time of voting he had 0 tokens

Tools Used

Manual review

Do not accept voting in the vote starting block

require(voteStartBlock_ != block.number)

Assessed type

Error

#0 - c4-judge

2023-05-18T15:49:07Z

Picodes marked the issue as primary issue

#1 - c4-judge

2023-05-18T16:01:02Z

Picodes marked issue #288 as primary and marked this issue as a duplicate of 288

#2 - c4-judge

2023-05-31T14:02:36Z

Picodes marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter