The removeNominee and revokeRemovedNomineeVotingPower functions are part of the governance mechanism in the VoteWeighting.sol smart contract.
The removeNominee function removes a nominee from the voting system.
The revokeRemovedNomineeVotingPower function revokes the voting power that a user has delegated to a nominee who has been removed.
When a user votes for a nominee using the voteForNomineeWeights function, both pointsSum.slope and pointsSum.bias are updated to reflect the new voting weights:
However, when a nominee is removed by the owner through the removeNominee function, only pointsSum.bias is updated. pointsSum.slope is not updated, nor is it updated when users revoke their votes through the revokeRemovedNomineeVotingPower function. As a result, the pointsSum.slope for the next timestamp will be incorrect as it still includes the removed nominee's slope.
When the _getSum() function is called later to perform a checkpoint, the incorrect slope will be used for the calculation, causing the voting weight logic to become inaccurate:
function _getSum() internal returns (uint256) {
// t is always > 0 as it is set in the constructor
uint256 t = timeSum;
Point memory pt = pointsSum[t];
for (uint256 i = 0; i < MAX_NUM_WEEKS; i++) {
if (t > block.timestamp) {
break;
}
t += WEEK;
uint256 dBias = pt.slope * WEEK;
if (pt.bias > dBias) {
pt.bias -= dBias;
uint256 dSlope = changesSum[t];
pt.slope -= dSlope;
} else {
pt.bias = 0;
pt.slope = 0;
}
pointsSum[t] = pt;
if (t > block.timestamp) {
timeSum = t;
}
}
return pt.bias;
}
Impact
The voting weight logic will be inaccurate after a nominee is removed, potentially compromising the integrity of the governance mechanism.
Tools Used
Manual review, VS Code
Recommended Mitigation
To address this issue, ensure that pointsSum.slope is updated when a nominee is removed. This can be done in either the removeNominee or revokeRemovedNomineeVotingPower functions to maintain correct accounting.
Lines of code
https://github.com/code-423n4/2024-05-olas/blob/main/governance/contracts/VoteWeighting.sol#L586-L637 https://github.com/code-423n4/2024-05-olas/blob/main/governance/contracts/VoteWeighting.sol#L223-L249
Vulnerability details
Issue Description
The
removeNomineeandrevokeRemovedNomineeVotingPowerfunctions are part of the governance mechanism in theVoteWeighting.solsmart contract.removeNomineefunction removes a nominee from the voting system.revokeRemovedNomineeVotingPowerfunction revokes the voting power that a user has delegated to a nominee who has been removed.When a user votes for a nominee using the
voteForNomineeWeightsfunction, bothpointsSum.slopeandpointsSum.biasare updated to reflect the new voting weights:However, when a nominee is removed by the owner through the
removeNomineefunction, onlypointsSum.biasis updated.pointsSum.slopeis not updated, nor is it updated when users revoke their votes through therevokeRemovedNomineeVotingPowerfunction. As a result, thepointsSum.slopefor the next timestamp will be incorrect as it still includes the removed nominee's slope.When the
_getSum()function is called later to perform a checkpoint, the incorrect slope will be used for the calculation, causing the voting weight logic to become inaccurate:Impact
The voting weight logic will be inaccurate after a nominee is removed, potentially compromising the integrity of the governance mechanism.
Tools Used
Manual review, VS Code
Recommended Mitigation
To address this issue, ensure that
pointsSum.slopeis updated when a nominee is removed. This can be done in either theremoveNomineeorrevokeRemovedNomineeVotingPowerfunctions to maintain correct accounting.Assessed type
Error