You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 21, 2024. It is now read-only.
sherlock-admin opened this issue
Jul 21, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Increasing vote factor can have unintended consequences
Summary
The owner has the ability to increase vote factor (by calling setVoteFactor()) however this has the unintended side effect of:
Users whose distribution records were initialized previously are not able to claim
Users whose distribution records were initialized previously are minted less vote tokens
As this is a bug with the current design, I’ve categorized the severity as medium.
Vulnerability Detail
The core of this vulnerability lies with how votes are calculated i.e. tokensToVotes(). Assuming an initially configured vote factor of 10%, if a user has a totalAmount of 100, it means that 10 vote tokens will be minted to the user.
Assuming some time has passed, and the owner decides to increase the vote factor to 15%. When the user tries to claim the tokens, the code will attempt to burn 15 vote tokens however the user was only minted 10 vote tokens so the user’s claim function will fail.
Impact
If the vote factor is increased, users who had their vote tokens minted previously will not be able to claim as they have insufficient vote tokens to burn.
Moreover, if the vote factor were to be increased, the users who had their vote tokens minted previously have less vote tokens than intended.
sherlock-admin2
changed the title
Fantastic Peanut Meerkat - Increasing vote factor can have unintended consequences
p12473 - Increasing vote factor can have unintended consequences
Aug 6, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
p12473
medium
Increasing vote factor can have unintended consequences
Summary
The owner has the ability to increase vote factor (by calling
setVoteFactor()
) however this has the unintended side effect of:As this is a bug with the current design, I’ve categorized the severity as medium.
Vulnerability Detail
The core of this vulnerability lies with how votes are calculated i.e.
tokensToVotes()
. Assuming an initially configured vote factor of 10%, if a user has atotalAmount
of 100, it means that 10 vote tokens will be minted to the user.Assuming some time has passed, and the owner decides to increase the vote factor to 15%. When the user tries to claim the tokens, the code will attempt to burn 15 vote tokens however the user was only minted 10 vote tokens so the user’s claim function will fail.
Impact
If the vote factor is increased, users who had their vote tokens minted previously will not be able to claim as they have insufficient vote tokens to burn.
Moreover, if the vote factor were to be increased, the users who had their vote tokens minted previously have less vote tokens than intended.
Code Snippet
https://github.com/SoftDAO/contracts/blob/291df55ddb0dbf53c6ed4d5b7432db0c357ca4d3/contracts/claim/abstract/AdvancedDistributor.sol#L73-L75
https://github.com/SoftDAO/contracts/blob/291df55ddb0dbf53c6ed4d5b7432db0c357ca4d3/contracts/claim/abstract/AdvancedDistributor.sol#L94
https://github.com/SoftDAO/contracts/blob/291df55ddb0dbf53c6ed4d5b7432db0c357ca4d3/contracts/claim/abstract/AdvancedDistributor.sol#L120
Tool used
Manual Review
Recommendation
Duplicate of #55
The text was updated successfully, but these errors were encountered: