MikeHathaway
commented
1 year ago Checking if it's executed is irrelevant as only proposals in a finalized slate can be executed and those funds are already set aside and not readded.
Closed code423n4 closed 1 year ago
MikeHathaway
commented
1 year ago Checking if it's executed is irrelevant as only proposals in a finalized slate can be executed and those funds are already set aside and not readded.
c4-judge
commented
1 year ago Picodes marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L197-L220
Vulnerability details
Impact
In
startNewDistributionPeriod()before the start of the new distribution period the treasury is updated with unused funds from the last two distributions. This happens in_updateTreasury()where in the for looptotalTokensRequestedis calculated and then subtracted fromfundsAvailableto calculate how much the unused funds are. The problem here is that when addingtokensRequestedfor each proposal tototalTokensRequestedthere is no check that the proposal is actually executed.Proof of Concept
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L131
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L137
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L197-L220
startNewDistributionPeriod()is called and a new distributiondis startedThen
_updateTreasuryis called for distributionsd-1andd-2.In distribution
d-1we havepamount of proposals with axamount of tokens requested for each(calculations are easier this way) andt(wheret<=p) proposals that are not executed.This means that instead of
(p - t) * xthe end result fortotalTokensRequestedwill bep * tandt * xtokens will be locked.Tools Used
Manual review
Recommended Mitigation Steps
Check that proposal is executed before increasing
totalTokensRequestedAssessed type
Math