Users that call claimDelegateReward() may get their rewards at a faster time before proposal is passed its challenge state.
Proof of Concept
This is the check in StandardFunding#executeStandard() which checks that the distribution period and challenge period has ended before executing the proposal:
// check that the distribution period has ended, and one week has passed to enable competing slates to be checked
if (block.number <= _getChallengeStageEndBlock(_distributions[distributionId].endBlock)) revert ExecuteProposalInvalid();
This is the check in StandardFunding#claimDelegateReward()
// Check if Challenge Period is still active
if(block.number < _getChallengeStageEndBlock(currentDistribution.endBlock)) revert ChallengePeriodNotEnded();
The difference is in the <= vs < sign. Users can claim delegate rewards before the proposal is passed its challenge state.
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/StandardFunding.sol#L245
Vulnerability details
Impact
Users that call claimDelegateReward() may get their rewards at a faster time before proposal is passed its challenge state.
Proof of Concept
This is the check in StandardFunding#executeStandard() which checks that the distribution period and challenge period has ended before executing the proposal:
This is the check in StandardFunding#claimDelegateReward()
The difference is in the <= vs < sign. Users can claim delegate rewards before the proposal is passed its challenge state.
Tools Used
Manual Review
Recommended Mitigation Steps
Change < to <= in delegateReward()
Assessed type
Invalid Validation