Closed code423n4 closed 1 year ago
Picodes marked the issue as primary issue
ith-harvey marked the issue as sponsor disputed
It's acknowledged behavior that the state of the treasury can change and impact extraordinary proposal success state.
It seems to be the desired behavior according to the whitepaper, page 35, example 5 which describes a scenario with 2 simultaneous proposals.
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L85-L105
Vulnerability details
Since standard and extraordinary proposals use the same treasury funds accounting variables and extraordinary voting period is long enough (1 month), it is possible that extraordinary proposal that was valid and gained enough votes will end up frozen: it might not being able to be executed as the total treasury funds are decreased by standard proposals workflow and success criteria for the extraordinary one will not be satisfied by a small enough margin during its execution.
Impact
Otherwise valid extraordinary proposals will not be possible to be executed and repetition of the lengthy voting process will be needed.
That can be crucial as some proposals might be time-sensitive (as an example, some rescue funding).
Proof of Concept
It is checked that
uint256(totalTokensRequested) > _getSliceOfTreasury(Maths.WAD - _getMinimumThresholdPercentage()) = Maths.wmul(treasury, Maths.WAD - _getMinimumThresholdPercentage())
on proposal creation:https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L85-L105
Extraordinary proposals can take a while, up to 1 month:
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L20-L23
_extraordinaryProposalSucceeded(proposalId_, tokensRequested)
is required on proposal execution:https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L56-L70
getExtraordinaryProposalSucceeded() checks for `votesReceived >= tokensRequested + getSliceOfNonTreasury(minThresholdPercentage
and
tokensRequested <= _getSliceOfTreasury(Maths.WAD - minThresholdPercentage)`:https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L164-L178
While _getMinimumThresholdPercentage() is stable within given extraordinary proposal:
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L206-L215
treasury
is reduced by3%
on each new standard distribution period start, which can be in the middle of the extraordinary proposal voting period:https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/StandardFunding.sol#L119-L157
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/StandardFunding.sol#L23-L27
Both
votesReceived >= tokensRequested_ + _getSliceOfNonTreasury(minThresholdPercentage
andtokensRequested_ <= _getSliceOfTreasury(Maths.WAD - minThresholdPercentage)
conditions are worse off whentreasury
is reduced:https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L222-L227
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L234-L238
I.e. a proposal that is valid and gained enough votes can be frozen as one of these conditions can become unavailable due to routine decrease of
treasury
.Recommended Mitigation Steps
Since standard workflow decrease can happen only once per extraordinary proposal voting, consider adding a cushion for such possibility, for example (GLOBAL_BUDGET_CONSTRAINT has to be moved to the parent code for visibility):
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L85-L105
Assessed type
Governance