search

code-423n4 / 2024-01-salty-findings

11 stars 6 forks source link

Lack of voting duration allows users to vote even after the voting completion time. #898

Closed c4-bot-10 closed 7 months ago

c4-bot-10 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/main/src/launch/BootstrapBallot.sol#L48 https://github.com/code-423n4/2024-01-salty/blob/main/src/launch/BootstrapBallot.sol#L69

Vulnerability details

Impact

Users can continuously vote to startExchangeYes or startExchangeNo the protocol without time constraints.

Proof of Concept

 function test_voteAfterTheCompletionTime() public {
        bytes memory sig = abi.encodePacked(aliceVotingSignature);

        // Voting stage 
        vm.startPrank(alice);
        bootstrapBallot.vote(true, sig);
        vm.stopPrank();

        // Increase current blocktime to be greater than completionTimestamp
        vm.warp(bootstrapBallot.completionTimestamp());

        sig = abi.encodePacked(bobVotingSignature);
        vm.startPrank(bob);
        bootstrapBallot.vote(true, sig);
        vm.stopPrank();
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Consider adding to check in BootstrapBallot::vote()

   function vote( bool voteStartExchangeYes, bytes calldata signature ) external 
   nonReentrant
    {
    require( ! hasVoted[msg.sender], "User already voted" );
++        require(block.timestamp < completionTimestamp, "Ballot is already complete");
    }

Assessed type

Timing

c4-judge commented 7 months ago

Picodes marked the issue as duplicate of #100

c4-judge commented 6 months ago

Picodes marked the issue as satisfactory

c4-judge commented 6 months ago

Picodes changed the severity to QA (Quality Assurance)

c4-judge commented 6 months ago

Picodes marked the issue as grade-c