search

code-423n4 / 2024-01-salty-findings

11 stars 6 forks source link

BootstrapBallot contract is rendered useless after finalizeBallot is invoked when startExchangeNo exceeds startExchangeYes #995

Closed c4-bot-1 closed 8 months ago

c4-bot-1 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/launch/BootstrapBallot.sol#L69 https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/launch/BootstrapBallot.sol#L84

Vulnerability details

Impact

Detailed description of the impact of this finding.

The finalizeBallot in BootstrapBallot contract is external and calleable by anoyone. This invocation is successful supposing it is called after completionTimestamp has reached. The current implementation carefully handles when the startExchangeYes supercedes the startExchangeNo, and begin the exchange. However, there is no implementation if it is otherwise. The issue arises when a malicious user, aware of the No exceeding the Yes, calls the finalizeBallot. The ballotFinalized state variable would be set to true and it will be impossible to redress this when it happens.

The implication of this design architecture is that the exchange will never start. Although there is no limited period for voting, if the startExchangeYes is voted so much that it exceeds the startExchangeNo, it would be too late because of this line:

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/launch/BootstrapBallot.sol#L71

100 Million Ether worth of Salt sent to the Initial Distribution would be lost, unless redeploying the Salt token.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

https://gist.github.com/Ephraim-nonso/a2582818b4e99ec011da0f8d594af29e

Tools Used

Manual Review and Foundry.

Recommended Mitigation Steps

Redesign the voting strategy in this BootstrapBallot contract so that it is possible to reopen the ballot for voting. Hence, it leaves the protocol with no choice than to redeploy the InitialDistribution and BootstrapBallot and SALT contracts again.

Assessed type

Error

c4-judge commented 8 months ago

Picodes marked the issue as duplicate of #606

c4-judge commented 7 months ago

Picodes changed the severity to QA (Quality Assurance)