Platform: Code4rena
Start Date: 25/08/2022
Pot Size: $75,000 USDC
Total HM: 35
Participants: 147
Period: 7 days
Judge: 0xean
Total Solo HM: 15
Id: 156
League: ETH
Rank: 47/147
Findings: 2
Award: $304.34
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rbserver
Also found by: 0x1f8b, Bahurum, csanuragjain, yixxas
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Governance.sol#L180-L201
Submission of proposal requires 1% of VOTES of total supply, whereas endorsement of proposal requires 20% of VOTES of total supply ( default values ). However, users are only required to temporarily transfer their VOTES to the protocol when they are casting their votes and not during the submission or endorsement of proposal phase. This means that the endorsement layer of attempting to prevent and reduce spam can effectively be circumvented. Any users with enough VOTES to submit a proposal will be able to endorse it making endorsement an ineffective measure.
This can potentially lead to much more spam proposals to the protocol as the number of votes required is 20x lower.
When the same address calls the endorseProposal() function twice, it updates only the latest votes. However, there is nothing preventing the user from transferring their VOTES token to another address after endorsing and call this same function. The same VOTES can be used to increase totalEndorsementsForProposal count infinitely.
function endorseProposal(uint256 proposalId_) external { ... // undo any previous endorsement the user made on these instructions uint256 previousEndorsement = userEndorsementsForProposal[proposalId_][msg.sender]; totalEndorsementsForProposal[proposalId_] -= previousEndorsement; // reapply user endorsements with most up-to-date votes userEndorsementsForProposal[proposalId_][msg.sender] = userVotes; totalEndorsementsForProposal[proposalId_] += userVotes; emit ProposalEndorsed(proposalId_, msg.sender, userVotes); }
Consider taking a snapshot of the number of tokens a user has in the same block as when the proposal is made. This means that whatever transfers being made after this block number does not change the vote count of a particular user for this particular proposal. This also means that there is no need to temporarily transfer user votes to the protocol when votes are casted.
#0 - bahurum
2022-09-02T13:33:36Z
Duplicate of #239
#1 - fullyallocated
2022-09-02T20:38:55Z
Duplicate of #239
🌟 Selected for report: zzzitron
Also found by: 0x040, 0x1f8b, 0x52, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSky, 0xSmartContract, 0xkatana, 8olidity, Aymen0909, Bahurum, BipinSah, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chandr, Chom, CodingNameKiki, Deivitto, DimSon, Diraco, ElKu, EthLedger, Funen, GalloDaSballo, Guardian, IllIllI, JansenC, Jeiwan, Lambda, LeoS, Margaret, MasterCookie, PPrieditis, PaludoX0, Picodes, PwnPatrol, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, StevenL, The_GUILD, TomJ, Tomo, Trust, Waze, __141345__, ajtra, ak1, apostle0x01, aviggiano, bin2chen, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch13fd357r0y3r, cloudjunky, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, devtooligan, dipp, djxploit, durianSausage, eierina, enckrish, erictee, fatherOfBlocks, gogo, grGred, hansfriese, hyh, ignacio, indijanc, itsmeSTYJ, ladboy233, lukris02, martin, medikko, mics, natzuu, ne0n, nxrblsrpr, okkothejawa, oyc_109, p_crypt0, pfapostol, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, sorrynotsorry, tnevler, tonisives, w0Lfrum, yixxas
54.3128 DAI - $54.31
In executeProposal(), if we have more noVotes than yesVotes, it means that proposal should be rejected. When a user calls the executeProposal() function, it will revert due to an underflow error. It would be better to catch this error and inform users who call this function the real revert reason being noVotes > yesVotes.
function executeProposal() external { uint256 netVotes = yesVotesForProposal[activeProposal.proposalId] - noVotesForProposal[activeProposal.proposalId]; ... }