Platform: Code4rena
Start Date: 23/06/2023
Pot Size: $60,500 USDC
Total HM: 31
Participants: 132
Period: 10 days
Judge: 0xean
Total Solo HM: 10
Id: 254
League: ETH
Rank: 31/132
Findings: 2
Award: $301.90
🌟 Selected for report: 0
🚀 Solo Findings: 0
80.4648 USDC - $80.46
https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/governance/LybraGovernance.sol#L66-L68 https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/governance/LybraGovernance.sol#L120-L121
In the LybraGovernance contract, the _voteSucceeded function returns true if supportVotes[1] > supportVotes[0]. At the same time in the proposals function supportVotes[0] is returned as forVotes and supportVotes[1] is returned as againstVotes. This could suggest, that probably _voteSucceeded returns in fact true for failed votes (or proposals returns the wrong values`).
https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/governance/LybraGovernance.sol#L66-L68
https://github.com/code-423n4/2023-06-lybra/blob/main/contracts/lybra/governance/LybraGovernance.sol#L120-L121
diff --git a/contracts/lybra/governance/LybraGovernance.sol b/contracts/lybra/governance/LybraGovernance.sol index 7b2d4ad..8f566a6 100644 --- a/contracts/lybra/governance/LybraGovernance.sol +++ b/contracts/lybra/governance/LybraGovernance.sol @@ -64,7 +64,7 @@ contract LybraGovernance is GovernorTimelockControl { * @dev Is the proposal successful or not. */ function _voteSucceeded(uint256 proposalId) internal view override returns (bool){ - return proposalData[proposalId].supportVotes[1] > proposalData[proposalId].supportVotes[0]; + return proposalData[proposalId].supportVotes[0] > proposalData[proposalId].supportVotes[1]; } /**
Error
#0 - c4-pre-sort
2023-07-03T23:13:37Z
JeffCX marked the issue as duplicate of #15
#1 - c4-judge
2023-07-28T15:32:59Z
0xean marked the issue as satisfactory
🌟 Selected for report: T1MOH
Also found by: Iurii3, LokiThe5th, josephdara, skyge, squeaky_cactus, yjrwkk, zambody
221.4353 USDC - $221.44
quorumReached does not account for forVotes.
The supportVodes mapping of the ProposalExtraData struct consists of three values: forVotes, againstVotes and abstainVotes respectively on keys 0, 1 and 2. The function:
function _quorumReached(uint256 proposalId) internal view override returns (bool){ return proposalData[proposalId].supportVotes[1] + proposalData[proposalId].supportVotes[2] >= quorum(proposalSnapshot(proposalId)); }
seems to account only for againstVotes and abstainVotes votes, omitting forVotes.
diff --git a/contracts/lybra/governance/LybraGovernance.sol b/contracts/lybra/governance/LybraGovernance.sol index 7b2d4ad..2566433 100644 --- a/contracts/lybra/governance/LybraGovernance.sol +++ b/contracts/lybra/governance/LybraGovernance.sol @@ -57,7 +57,7 @@ contract LybraGovernance is GovernorTimelockControl { * @dev Amount of votes already cast passes the threshold limit. */ function _quorumReached(uint256 proposalId) internal view override returns (bool){ - return proposalData[proposalId].supportVotes[1] + proposalData[proposalId].supportVotes[2] >= quorum(proposalSnapshot(proposalId)); + return proposalData[proposalId].supportVotes[0] + proposalData[proposalId].supportVotes[1] + proposalData[proposalId].supportVotes[2] >= quorum(proposalSnapshot(proposalId)); } /**
Error
#0 - c4-pre-sort
2023-07-04T15:14:12Z
JeffCX marked the issue as duplicate of #14
#1 - c4-judge
2023-07-28T15:33:45Z
0xean marked the issue as satisfactory
#2 - c4-judge
2023-07-28T19:42:05Z
0xean changed the severity to 3 (High Risk)