search

code-423n4 / 2023-05-ajna-findings

2 stars 0 forks source link

fundedSlateHash not updating in newDistributionPeriod struct when calling the startNewDistributionPeriod() function #320

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L149-L155 https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L197-L220

Vulnerability details

Impact

In the contract code of StandardFunding.startNewDistributionPeriod(), the fundedSlateHash variable is not being correctly updated in the newDistributionPeriod struct when calling the startNewDistributionPeriod() function. This leads to the fundedSlateHash variable retaining its default value, which causes issues when calling the _updateTreasury() function.

 200    bytes32 fundedSlateHash = _distributions[distributionId_].fundedSlateHash;

Proof of Concept

    struct QuarterlyDistribution {
        uint24  id;                   // id of the current quarterly distribution
        uint48  startBlock;           // block number of the quarterly distributions start
        uint48  endBlock;             // block number of the quarterly distributions end
        uint128 fundsAvailable;       // maximum fund (including delegate reward) that can be taken o
        uint256 fundingVotePowerCast; // total number of voting power allocated in funding stage 
        bytes32 fundedSlateHash;      // hash of list of proposals to fund
    }

the value of fundedSlateHash is not initialize in bellow initilization.

149        QuarterlyDistribution storage newDistributionPeriod = _distributions[newDistributionId_];
150        newDistributionPeriod.id              = newDistributionId_;
151        newDistributionPeriod.startBlock      = startBlock;
152        newDistributionPeriod.endBlock        = endBlock;
153        uint256 gbc                           = Maths.wmul(treasury, GLOBAL_BUDGET_CONSTRAINT);
154        newDistributionPeriod.fundsAvailable  = SafeCast.toUint128(gbc);

this lead to 


197    function _updateTreasury(
198        uint24 distributionId_
199    ) private {
200:        bytes32 fundedSlateHash = _distributions[distributionId_].fundedSlateHash; ///@audit
201        uint256 fundsAvailable  = _distributions[distributionId_].fundsAvailable;
  ...

Tools Used

Manual test

Recommended Mitigation Steps

To fix this issue, the fundedSlateHash variable should be updated in the newDistributionPeriod struct when calling the StandardFunding.startNewDistributionPeriod() function.

Assessed type

Invalid Validation

Picodes commented 1 year ago

As the period is starting it seems to be the intended behavior to have fundedSlateHash = "0x"

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Insufficient proof