search

code-423n4 / 2023-05-ajna-findings

2 stars 0 forks source link

the protocol using 3% GBC instead of 2% #474

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/StandardFunding.sol#L27 https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/StandardFunding.sol#L153-L154

Vulnerability details

Impact

the protocol using 3% GBC instead of 2% as they mentioned in their docs, this may cause problem in the code implementation because the logic is based on 2% but the protocol allowing to use 3% of GBC.

Proof of Concept

the line that it mentioned that the protocol is using 2% GBC:

Each quarter (90 day cycle), up to 2% of the treasury can be distributed to projects that win a competitive bidding process. This is the global budgetary constraint, GBC https://docsend.com/view/ai74yqgzjp3yydyt

the code line that is using 3% for the gbc :

 uint256 internal constant GLOBAL_BUDGET_CONSTRAINT = 0.03 * 1e18;

in this case the maths calculate will be more than the protocol expected 

  uint256 gbc = Maths.wmul(treasury, GLOBAL_BUDGET_CONSTRAINT);
  newDistributionPeriod.fundsAvailable  = SafeCast.toUint128(gbc);

i will set it as medium because it may cause the protocol to use more token and letting the projects request more than it expected due to the 3%, and if the doc is not updated this will make this findings medium/low because it set the gbc as %2 during the contest.

Tools Used

manual review

Recommended Mitigation Steps

correct the gbc percentage in the code line or update the spec if it should be set as 3%

Assessed type

Math

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #32

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Invalid