search

near-daos / astro-ui

Front end for https://app.astrodao.com
MIT License
39 stars 23 forks source link

Possibility of serious incorrectness of proposal approvals due to mismatch in token and proposal ids #380

Closed abhimore89 closed 2 years ago

abhimore89 commented 2 years ago

Bug Discovered in Astro Dao Portal https://app.astrodao.com/dao/auctionhouse.sputnik-dao.near

Note: This has also been submitted by me via Report Issue Link https://airtable.com/shr4ZmQzmTE5cKZm3

Steps to reproduce:

  1. Create a new proposal
  2. Authorize the transaction with NEAR
  3. Somehow the proposal fails to get created properly in Astro dao. See this -https://app.astrodao.com/dao/auctionhouse.sputnik-dao.near/proposals/auctionhouse.sputnik-dao.near-11 a. This proposal actually got successful in near transaction. See this https://explorer.mainnet.near.org/transactions/8eRkxyzTTMsiNo9XPUMdgJtaeuZjLra7TiEXK1hwoBnw b. This is still not a major problem
  4. Since the proposal was not visible in Astro dao, user tried to create another proposal after few minutes a. See this https://app.astrodao.com/dao/auctionhouse.sputnik-dao.near/proposals/auctionhouse.sputnik-dao.near-12 b. Also see https://explorer.mainnet.near.org/transactions/Dzq4DJnjR5EDL4UXcfNEfbE214MS2Y8FU6xKNozQkAPF c. You will notice in #a and #b that, i. #a url contains token Id 12 ii. #a when opened will show proposal id 11 iii. #b transaction response at bottom will show id = 12
  5. User2 now tried to open Proposal 11 / Token 12 , and approve. a. https://explorer.mainnet.near.org/transactions/94pNWmqfzGJzAHfZGFMtmoNi1qAJDqfiYHo5iJCi3dAS b. https://explorer.mainnet.near.org/transactions/dmgBmNa17ADAa65vKEmNgAjpqrC3cSRf2NgBdqaDskr c. https://explorer.mainnet.near.org/transactions/4tyUXtG1pR48zn2AsDuZaBe3T7RpcVDdjtJw1wJBrxA5 d. These approvals were done by clicking https://app.astrodao.com/dao/auctionhouse.sputnik-dao.near/proposals/auctionhouse.sputnik-dao.near-12
  6. As of now, you will notice, this proposal shows 0 votes.
  7. You will also notice, that the proposal created in #3 is not visible anywhere
  8. You will also notice that the invisible proposal is approved , completed and fund transferred to its user. a. Transaction details of final approval and fund transfer here - https://explorer.mainnet.near.org/transactions/94pNWmqfzGJzAHfZGFMtmoNi1qAJDqfiYHo5iJCi3dAS
  9. You will also notice that there is no Proposal id 12. There is 11 then 13. Inference It seems like the NEAR response is token id, which is being mapped with proposal id in Astro dao, instead of tokenId. If for whatever reason, Astro dao proposal fails to register etc, there can be sync issues b/w Ids from NEAR transaction vs Astro dao registry.

Impact This can have serious impact. There are two –

  1. User can unknowingly approve a “failed” proposal and can ask others to approve it because their approval is not visible in “original” proposal. Cascading impact
  2. Unknowingly that failed proposal can reach 50% rule setting etc, and complete and the fund transfer can happen to the unknown proposal
RomaSha2010 commented 2 years ago

Hi. Thank you for your issue. Was fixed in previous releases