c4-judge
commented
5 months ago Picodes marked the issue as primary issue
Closed c4-judge closed 5 months ago
c4-judge
commented
5 months ago Picodes marked the issue as primary issue
c4-judge
commented
5 months ago Picodes marked the issue as duplicate of #37
c4-judge
commented
4 months ago This auto-generated issue was withdrawn by Picodes
Judge has assessed an item in Issue #934 as 2 risk. The relevant finding follows:
[L-01] Users can still vote after the ballot expiry is over https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/dao/Proposals.sol#L259C2-L293C4
If the Ballot end time has been completed, users are not supposed to be able to cast vote again, but the cast vote does not check that the ballot end time has reached
function castVote( uint256 ballotID, Vote vote ) external nonReentrant { Ballot memory ballot = ballots[ballotID];
//@audit This check here that asks if the ballot is live or not does not prove that the ballot end time has been completed, because that value is only updated if the ballot has been finalized
...more code } Only on finalizeBallot does ballotIsLive gets updated This means that before finalize ballot is called users can still cast their vote Mitigation Implement a check to see if The ballot duration has ended