Detailed description of the impact of this finding.
The finalizeBallot in BootstrapBallot contract is external and calleable by anoyone. This invocation is successful supposing it is called after completionTimestamp has reached. The current implementation carefully handles when the startExchangeYes supercedes the startExchangeNo, and begin the exchange. However, there is no implementation if it is otherwise. The issue arises when a malicious user, aware of the No exceeding the Yes, calls the finalizeBallot. The ballotFinalized state variable would be set to true and it will be impossible to redress this when it happens.
The implication of this design architecture is that the exchange will never start. Although there is no limited period for voting, if the startExchangeYes is voted so much that it exceeds the startExchangeNo, it would be too late because of this line:
Redesign the voting strategy in this BootstrapBallot contract so that it is possible to reopen the ballot for voting. Hence, it leaves the protocol with no choice than to redeploy the InitialDistribution and BootstrapBallot and SALT contracts again.
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/launch/BootstrapBallot.sol#L69 https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/launch/BootstrapBallot.sol#L84
Vulnerability details
Impact
Detailed description of the impact of this finding.
The finalizeBallot in BootstrapBallot contract is external and calleable by anoyone. This invocation is successful supposing it is called after completionTimestamp has reached. The current implementation carefully handles when the startExchangeYes supercedes the startExchangeNo, and begin the exchange. However, there is no implementation if it is otherwise. The issue arises when a malicious user, aware of the No exceeding the Yes, calls the finalizeBallot. The ballotFinalized state variable would be set to true and it will be impossible to redress this when it happens.
The implication of this design architecture is that the exchange will never start. Although there is no limited period for voting, if the startExchangeYes is voted so much that it exceeds the startExchangeNo, it would be too late because of this line:
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/launch/BootstrapBallot.sol#L71
100 Million Ether worth of Salt sent to the Initial Distribution would be lost, unless redeploying the Salt token.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
https://gist.github.com/Ephraim-nonso/a2582818b4e99ec011da0f8d594af29e
Tools Used
Manual Review and Foundry.
Recommended Mitigation Steps
Redesign the voting strategy in this BootstrapBallot contract so that it is possible to reopen the ballot for voting. Hence, it leaves the protocol with no choice than to redeploy the InitialDistribution and BootstrapBallot and SALT contracts again.
Assessed type
Error