search

code-423n4 / 2024-05-olas-findings

12 stars 3 forks source link

When revoking user voting power, the update of changesSum is not synchronized with pointsSum. #92

Closed howlbot-integration[bot] closed 2 months ago

howlbot-integration[bot] commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-05-olas/blob/main/governance/contracts/VoteWeighting.sol#L657-L661

Vulnerability details

Impact

pointsSum will be incorrect.

Detail

In the function revokeRemovedNomineeVotingPower, protocol will update the changesWeight and changesSum. However, this operation should be synchronized with the update of pointsSum. If the changesSum is reduced, the slope of pointsSum also should be reduced, or else the slope of pointsSum will be larger than expected after oldSlope.end. On the other hand, the function revokeRemovedNomineeVotingPower doesn't update the slope of pointsSum in any case, but changesSum may be changed. Then, two situations will occur. The first situation is that changesSum is updated (decreased), so the slope of pointsSum will be reduced by a smaller value. The other situation is that changesSum is not updated, then the slope of pointsSum will be reduced by a larger value. The final result is that after oldSlope.end, pointsSum will have two possible values, which is obviously incorrect.

Tools Used

VScode

Recommended Mitigation Steps

When updating changesSum, the slope of pointsSum needs to be updated at the same time.

Assessed type

Math

c4-judge commented 2 months ago

0xA5DF marked the issue as satisfactory

c4-judge commented 2 months ago

0xA5DF changed the severity to 2 (Med Risk)

c4-judge commented 2 months ago

0xA5DF changed the severity to 3 (High Risk)