Standard voting favors proposals which ask for lower GBC

[code423n4]

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/StandardFunding.sol#L698

Vulnerability details

Impact

Proposals which ask for higher % of the GBC have a serious disadvantage.

Proof of Concept

For simplicity, let's say there are only 3 projects in the screening stage. Project A asks for 90% GBC and projects B and C ask for 40% GBC each. Therefore, project A can only be executed solo, and projects B and C can be executed together. We will once again refer to a key idea, that for a user to have the highest votes impact, they will have to split their voting power equally amongst all of the projects. (Refer to my other submitted issue for mathematical in-depth explanation) Therefore most optimal way of voting for a user, who has 100 votes/ 10 000 voting power, supporting project A would be voting +57 for A and -57 for each of B and C. This brings up a case where the supporters of B and C have between 83-99 votes. Since the supporter for proposal A has voted in the most optimal way, unless the supporters of B and C have more voting power, they cannot get both of their proposals accepted. However, if they have between 83-99, they can guarantee one of their proposals to be executed. The net-votes difference of A and B is 57 - (-57) = 114. B can overtake A, if simply the supporters vote +58 for B and -58 for A, which would require 58^2 * 2 = 6728 voting power. It is important to understand that if the supporter for proposal A votes in any different way than the one described above, it will make the voting power needed to overtake it less. The reason for this is well-described in my other issue and contains mathematical proof of it.

This becomes even a bigger problem if the situation is like proposal A against B + C + D + E

To put it simply:

If there are 2 voters, Alice and Bob, and 3 proposals - proposal A asking for 90% gbc competing against proposal B and C which ask for 40% gbc each. Alice is supporting proposal A and has 10 000 voting power, while Bob is supporting B + C and has 6728 voting power. Although Alice has significantly more voting power, her supported proposal has no chance of winning.

Tools Used

Manual review

Recommended Mitigation Steps

Add adjustments to the voting power depending on how many proposals a user is voting on. Consider putting a limit on the amount of proposals a user can vote on.

Assessed type

Math

[c4-sponsor]

MikeHathaway marked the issue as sponsor acknowledged

[Picodes]

The reasoning is based on the assumption that "for a user to have the highest votes impact, they will have to split their voting power equally amongst all of the projects".

To me, this is an incorrect or at least inaccurate assumption. Let's take your example:

If there are 2 voters, Alice and Bob, and 3 proposals - proposal A asking for 90% gbc competing against proposal B and C which ask for 40% gbc each. Alice is supporting proposal A and has 10 000 voting power, while Bob is supporting B + C and has 6728 voting power. Although Alice has significantly more voting power, her supported proposal has no chance of winning.

In fact, what happens here is that whoever votes first looses. Whatever Alice does Bob can manage to have either B or C superior to A, and conversely, if Bob votes first Alice can manage to have A superior to B and C.

Now the issue seems to be that votes aren't private, so whoever vote lasts doesn't vote according to its utility functions or preferences, but votes according to how he can move the results in the direction he prefers.

Anyway, my point is that your mathematical proof is an incorrect assumption, hence I'll downgrade this report.

[c4-judge]

Picodes marked the issue as unsatisfactory: Invalid