search

code-423n4 / 2023-05-ajna-findings

2 stars 0 forks source link

It is not possible to create or execute new extraordinary proposals after 10 funded Extraordinary Proposals #456

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L105 https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L176 https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L213

Vulnerability details

Impact

With each executed offer, the value of _getMinimumThresholdPercentage increases, resulting in the fact that when trying to create a new proposal or execute existing, _getMinimumThresholdPercentage exceeds 1e18 and we catch an underflow error via _getSliceOfTreasury(Maths.WAD - minThresholdPercentage)1,2. Which will lead to the impossibility of creating new extraordinary proposals or execute existing proposal

We have 2 points with this:

  1. When we create new proposal L105 
    105:         if (uint256(totalTokensRequested) > _getSliceOfTreasury(Maths.WAD - _getMinimumThresholdPercentage())) revert InvalidProposal();
  2. When checking the opportunity to execute the proposal L176 
    File: ajna-grants\src\grants\base\ExtraordinaryFunding.sol
175:             // succeeded if tokens requested are available for claiming from the treasury
176:             (tokensRequested_ <= _getSliceOfTreasury(Maths.WAD - minThresholdPercentage))

    it also affects the methods associated with the corresponding calls, but these are minor problems, only the call files of the view methods

Proof of Concept

  1. Let's consider the calculation _getMinimumThresholdPercentage() 
    
File: 2023-05-ajna\ajna-grants\src\grants\base\ExtraordinaryFunding.sol

206: function _getMinimumThresholdPercentage() internal view returns (uint256) { 207: // default minimum threshold is 50 208: if (_fundedExtraordinaryProposals.length == 0) { 209: return 0.5 1e18; 210: } 211: // minimum threshold increases according to the number of funded EFM proposals 212: else { 213: return 0.5 1e18 + (_fundedExtraordinaryProposals.length (0.05 1e18)); 214: } 215: }

2. We can see that the formula is as follows `0.5*1e18 + fundedExtraordinaryProposalCount * (0.05 * 1e18)`, let's put it in it
 fundedExtraordinaryProposalCount > 10
`0.5*1e18 + 11 * (0.05 * 1e18)` = `1.05e18`
3. This value is used when creating new proposals or execute existing
```javascript
File: ajna-grants\src\grants\base\ExtraordinaryFunding.sol

102:         uint128 totalTokensRequested = _validateCallDatas(targets_, values_, calldatas_);
103: 
104:         // check tokens requested are available for claiming from the treasury
105:         if (uint256(totalTokensRequested) > _getSliceOfTreasury(Maths.WAD - _getMinimumThresholdPercentage())) revert InvalidProposal(); // @audit
106: 
107:         // store newly created proposal
  1. Where we have the following costing (L105) Maths.WAD - _getMinimumThresholdPercentage() in our case, it's 1e18 - 1.05e18 which will cause a subtraction error

    Tools Used

Recommended Mitigation Steps

Assessed type

Under/Overflow

c4-judge commented 1 year ago

Picodes marked the issue as primary issue

MikeHathaway commented 1 year ago

This is acknowledged system behavior and mentioned in documentation already

c4-sponsor commented 1 year ago

ith-harvey marked the issue as sponsor disputed

ith-harvey commented 1 year ago

Disuputing as this is expected functionality... was mentioned in the white paper.

Picodes commented 1 year ago

Invalid as this is mentioned in the whitepaper.

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Invalid