Missing validation allows proposals requesting transfers of 0 tokens to be executed, which can lead to the extinction of the EPM

[code423n4]

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/Funding.sol#L129-L137

Vulnerability details

Missing validation allows proposals requesting transfers of 0 tokens being accepted/proposed/executed, which can impact future Extraordinary Funding proposals due to the increasing minimum threshold.

Impact

Proposals requesting 0 token transfers can be executed.

Proof of Concept

In the given Solidity code, the _validateCallDatas function calculates the total tokensRequested for a proposal:

// @audit-issue Missing validation on tokensRequested. Proposals requesting transfers of 0 tokens may also be accepted
tokensRequested_ += SafeCast.toUint128(tokensRequested);

However, there is no check to ensure that the tokensRequested value is greater than zero. This may lead to proposals with 0 tokens requested being accepted.

If this happens on an EPM proposal, it will pass and essentially be a no-op, but will still increase the minimum threshold by 5%.

The worst case is that this no-op is executed exhaustively up to a point where the Extraordinary Proposal Mechanism is extinct.

Tools Used

Manual review

Recommended Mitigation Steps

Validate that the tokensRequested value is greater than zero with require(tokensRequested > 0, "ajna/validate-0-tokens-requested");.

Assessed type

Invalid Validation

[Picodes]

Indeed but it'd still require a massive vote of token holders to pass so it's reasonably QA

[c4-judge]

Picodes changed the severity to QA (Quality Assurance)