Skip to content
This repository has been archived by the owner on Jan 21, 2024. It is now read-only.

p12473 - Increasing vote factor can have unintended consequences #23

Closed
sherlock-admin opened this issue Jul 21, 2023 · 0 comments
Closed

p12473 - Increasing vote factor can have unintended consequences #23

sherlock-admin opened this issue Jul 21, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jul 21, 2023
edited by sherlock-admin2
Loading

p12473

medium

Increasing vote factor can have unintended consequences

Summary

The owner has the ability to increase vote factor (by calling setVoteFactor()) however this has the unintended side effect of:

  1. Users whose distribution records were initialized previously are not able to claim
  2. Users whose distribution records were initialized previously are minted less vote tokens

As this is a bug with the current design, I’ve categorized the severity as medium.

Vulnerability Detail

The core of this vulnerability lies with how votes are calculated i.e. tokensToVotes(). Assuming an initially configured vote factor of 10%, if a user has a totalAmount of 100, it means that 10 vote tokens will be minted to the user.

Assuming some time has passed, and the owner decides to increase the vote factor to 15%. When the user tries to claim the tokens, the code will attempt to burn 15 vote tokens however the user was only minted 10 vote tokens so the user’s claim function will fail.

Impact

If the vote factor is increased, users who had their vote tokens minted previously will not be able to claim as they have insufficient vote tokens to burn.

Moreover, if the vote factor were to be increased, the users who had their vote tokens minted previously have less vote tokens than intended.

Code Snippet

https://github.com/SoftDAO/contracts/blob/291df55ddb0dbf53c6ed4d5b7432db0c357ca4d3/contracts/claim/abstract/AdvancedDistributor.sol#L73-L75

https://github.com/SoftDAO/contracts/blob/291df55ddb0dbf53c6ed4d5b7432db0c357ca4d3/contracts/claim/abstract/AdvancedDistributor.sol#L94

https://github.com/SoftDAO/contracts/blob/291df55ddb0dbf53c6ed4d5b7432db0c357ca4d3/contracts/claim/abstract/AdvancedDistributor.sol#L120

Tool used

Manual Review

Recommendation

  • Let users mint more vote tokens manually if the vote factor increases
  • Setting vote factor will retroactively mint more tokens to all users (more complex but ideal)
  • burning tokens will just burn the vote token balance of the user instead of calculating the number of vote tokens to burn.

Duplicate of #55
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 26, 2023
@sherlock-admin2 sherlock-admin2 changed the title Fantastic Peanut Meerkat - Increasing vote factor can have unintended consequences p12473 - Increasing vote factor can have unintended consequences Aug 6, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Aug 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2