When removing nominees, the slope of pointsSum is not updated.

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-05-olas/blob/main/governance/contracts/VoteWeighting.sol#L586-L636

Vulnerability details

Impact

Since the slope is not updated and the bias is reduced, the bias will be lower than the correct value when the points are updated later.

Detail

In the function removeNominee, the contract will zeros nominees' weights and change the pointsSum at the same time.

// Set nominee weight to zero
uint256 oldWeight = _getWeight(account, chainId);
uint256 oldSum = _getSum();
uint256 nextTime = (block.timestamp + WEEK) / WEEK * WEEK;
pointsWeight[nomineeHash][nextTime].bias = 0; 
timeWeight[nomineeHash] = nextTime; 

// Account for the the sum weight change
uint256 newSum = oldSum - oldWeight;
pointsSum[nextTime].bias = newSum; // @@audit: high, don't update slope
timeSum = nextTime;

As we can see, the bias of pointsSum is reduced by oldWeight(i.e., the nominee's remaining weight). However, the slope is not updated, which means when pointsSum is updated next time, the bias will be reduced by the excess value.

Tools Used

VScode

Recommended Mitigation Steps

pointsSum[nextTime].slope -= pointsWeight[nomineeHash][nextTime].slope;

Assessed type

Math

[c4-judge]

0xA5DF marked the issue as satisfactory

[c4-judge]

0xA5DF changed the severity to 2 (Med Risk)

[c4-judge]

0xA5DF changed the severity to 3 (High Risk)