Closed c4-bot-4 closed 9 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #8
raymondfam marked the issue as duplicate of #160
MarioPoneder marked the issue as not a duplicate
MarioPoneder changed the severity to QA (Quality Assurance)
MarioPoneder marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/protocol-rewards/src/abstract/RewardSplits.sol#L41
Vulnerability details
Impact
computeTotalReward()
inRewardSplits
contract is invoked byERC20TokenEmitter.buyToken()
to compute total rewards before buyingERC20Votes
tokens. TheRewardSplits
contract definesminPurchaseAmount
andmaxPurchaseAmount
. However, the invalid validation inRewardSplits.computeTotalReward()
leads to revert the function call ofERC20TokenEmitter.buyToken()
when attempting to purchase tokens for the specifiedminPurchaseAmount
ormaxPurchaseAmount
.Proof of Concept
minPurchaseAmount
andmaxPurchaseAmount
determine the minimum and maximum amounts necessary to acquireERC20Votes
tokens as specified in theRewardSplits
contract.https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/protocol-rewards/src/abstract/RewardSplits.sol#L23C1-L24C62
This information indicates to users that they have the option to purchase
ERC20Votes
tokens with a minimum of0.0000001 ether
and a maximum of50,000 ether
. The acquisition of tokens can be facilitated through thebuyToken()
function within theERC20TokenEmitter
contract.https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/ERC20TokenEmitter.sol#L152C5-L170C11
Refer to line number 165 in the provided code, where
_handleRewardsAndGetValueToSend()
is called. In the corresponding code snippet for_handleRewardsAndGetValueToSend()
, observe line number 18, wherecomputeTotalReward()
is invoked.https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/protocol-rewards/src/abstract/TokenEmitter/TokenEmitterRewards.sol#L12C5-L18C82
In the following code snippet, observe the
computeTotalReward()
function. Pay attention to line number 41, where validation for the payment or purchase amount is performed using<= minPurchaseAmount
and>= maxPurchaseAmount
. Notably, these comparisons exclude the values ofminPurchaseAmount
andmaxPurchaseAmount
.https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/protocol-rewards/src/abstract/RewardSplits.sol#L40C1-L41C121
Should an individual attempt to acquire tokens with an amount equal to
minPurchaseAmount
ormaxPurchaseAmount
, the transaction will encounter a revert. The validation dictates that the minimum permissible amount for purchase isminPurchaseAmount + 1 Wei
, while the maximum allowable amount ismaxPurchaseAmount - 1 Wei
.Tools Used
Manual Review
Recommended Mitigation Steps
Update the validation in the
computeTotalReward()
as follows.Assessed type
Invalid Validation