Closed code423n4 closed 1 year ago
Picodes marked the issue as primary issue
MikeHathaway marked the issue as sponsor acknowledged
This corresponds to the example of the whitepaper (page 35).
Downgrading to QA
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L105
Vulnerability details
Proof of Concept
In ExtraordinaryFunding.sol, only 10 proposals in total can be funded. Here is how the token request flow looks like:
Maths.WAD is 1e18. _getMinimumThresholdPercentage starts from 50% (0.5e18). The minimumThresholdPercentage will increase by 5% after every successful proposal executed.
If there is 100,000 tokens in the treasury, then the proposal must request 50,000 tokens or less if _getMinimumThresholdPercentage returns 0.5e18.
In particular, (tokensRequested_ <= _getSliceOfTreasury(Maths.WAD - minThresholdPercentage)) must return true.
Let's look at an example of how this might be an issue. There are 1,000,000 tokens in the treasury and all of them requests 500,000 tokens:
Impact
Proposals may have to be recreated many times in order to pass the minThresholdPercentage requirement
Tools Used
VSCode
Recommended Mitigation Steps
Recommend a way to change the tokenRequested (only able to change to a lower position) during the voting so that if one proposal passes, the minThresholdPercentage will not force the other proposals to fail.
Assessed type
Other