Open code423n4 opened 1 year ago
Picodes marked the issue as primary issue
MikeHathaway marked the issue as sponsor confirmed
Picodes marked the issue as selected for report
Note: validating the finding assuming it is a bug and distributing rewards according to the square wasn't the intent of the dev team. Otherwise, the fact that the warden finds it "unfair" isn't really a security issue.
Picodes marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L286 https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L541 https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L673 https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L891
Vulnerability details
Impact
Reduces decentralization significantly and discourages delegates with less token power to vote.
Proof of Concept
The current math gives delegates rewards based on the square of their votes. Thus, accounts with higher number of votes will be rewarded a bigger number of rewards, leading to less decentralization.
Add the following test to
StandardFunding.t.sol
In this test,
_tokenHolder1
has 350/50 = 7 times more tokens and leads to getting 98% of the rewards. Had a linear distribution been used,_tokenHolder1
would have received 87.5%, a fairer number.In fact, it's even better to use a quadratic voting system, being the rewards the square root of the votes. This would incentivize more delegates and increase decentralization.
Tools Used
Vscode, Foundry
Recommended Mitigation Steps
Use a linear or quadratic delegate reward system.
Assessed type
Other