search

code-423n4 / 2022-08-olympus-findings

5 stars 4 forks source link

User cannot vote for the proposal with same proposalId as before #421

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-olympus/blob/70d7259581fe32647293ca4ff653ca3f2ad770b6/src/policies/Governance.sol#L247 https://github.com/code-423n4/2022-08-olympus/blob/70d7259581fe32647293ca4ff653ca3f2ad770b6/src/policies/Governance.sol#L167

Vulnerability details

Impact

User cannot vote for the proposal with same proposalId after Instruction module is updated.

Proof of Concept

If Alice voted for proposal 10 and her vote is greater than 0, userVotesForProposal[10][Alice] > 0 and it is not reset to zero if she reclaims the vote. After that, if the instruction module is updated, the proposal id starts from 1. And Alice can not vote for proposal 10 because userVotesForProposal[10][Alice] is positive.

Tools Used

Manual Review

Recommended Mitigation Steps

Add userVotesForProposal[proposalId_][msg.sender] = 0 to Governance.reclaimVotes.

fullyallocated commented 2 years ago

This is intended behavior and state must be migrated correctly

0xean commented 2 years ago

closing as invalid.