code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/Governance.sol#L121 https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/Governance.sol#L130-L133

Vulnerability details

Impact

This will make the inconsistent behavior between the submission requirement and endorsement

Proof of Concept

/// @notice The amount of votes a proposer needs in order to submit a proposal as a percentage of total supply (in basis points).
/// @dev    This is set to 1% of the total supply.
uint256 public constant SUBMISSION_REQUIREMENT = 100;

/// @notice Endorsements required to activate a proposal as percentage of total supply.
uint256 public constant ENDORSEMENT_THRESHOLD = 20;

/// @notice Net votes required to execute a proposal on chain as a percentage of total supply.
uint256 public constant EXECUTION_THRESHOLD = 33;

it is clear from above lines of codes, for submission basis points approach (100% = 10000) But for endorsement and execution the percentage is 100% = 100

Tools Used

VS code, Manual code review

Recommended Mitigation Steps

Use basis points based percentage to set the limits for all criteria. This could be easy to track the calculation part.

fullyallocated commented 2 years ago

not a medium risk bug.

0xean commented 2 years ago

marking as dupe of #365 - wardens qa report

code-423n4 / 2022-08-olympus-findings