10**6 is too small for RATIO_BASE #40
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
edited-by-warden
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-03-aragon/blob/4db573870aa4e1f40a3381cdd4ec006222e471fe/packages/contracts/src/plugins/utils/Ratio.sol#L6
Vulnerability details
Impact
RATIO_BASE
is set as10**6
, and limit of participations is also around10**6
.RATIO_BASE
should be bigger than square of the limit of participations.Proof of Concept
Currently,
RATIO_BASE
is set as10**6
.https://github.com/code-423n4/2023-03-aragon/blob/4db573870aa4e1f40a3381cdd4ec006222e471fe/packages/contracts/src/plugins/utils/Ratio.sol#L6
In the contract
MajorityVotingBase
, we can easily guess that the limit of participations is around10**6
(=RATIO_BASE
).https://github.com/code-423n4/2023-03-aragon/blob/4db573870aa4e1f40a3381cdd4ec006222e471fe/packages/contracts/src/plugins/governance/majority-voting/MajorityVotingBase.sol#L536
For example, let's say that the creator of Voting DAO wants to separate
1/2001
and1/2002
in the voting ratio.In other words, "1 yes, 2000 no" is executable and "1 yes, 2001 no" is non-excutable.
So voting ratio should be bigger than
1/2002
and smaller than1/2001
.Since both
1/2001
and1/2002
are inside the range (499/1000000
,500/1000000
), there is no proper ratio.Tools Used
(Nothing, just looking the code on VSCode)
Recommended Mitigation Steps
We can set
RATIO_BASE
as10**12
. Then, the creator can separate every two different fractions with denominators less than10**6
.The text was updated successfully, but these errors were encountered: