to an assert_eq - so the attached deposit is not different than bond.
Description: When a proposer calls the function add_proposal to add a new proposal, he or she may attach more NEAR tokens than the proposal_bond specified in Contract.policy .
sputnikdao2/src/proposals.rs #Line 484
/// Add proposal to this DAO.
#[payable]
pub fn add_proposal(&mut self, proposal: ProposalInput) -> u64 {
// 0. validate bond attached.
// TODO: consider bond in the token of this DAO.
let policy = self.policy.get().unwrap().to_policy();
assert!(
env::attached_deposit() >= policy.proposal_bond.0,
"ERR_MIN_BOND"
);
...
// 3. Actually add proposal to the current list of proposals.
let id = self.last_proposal_id;
self.proposals
.insert(&id, &VersionedProposal::Default(proposal.into()));
self.last_proposal_id += 1;
self.locked_amount += env::attached_deposit();
id
}
However, this contract does not individually record the actual NEAR tokens deposited for each proposer, but simply accumulates these amounts into the balance of Contract.locked_amount .
As a result, such proposers can only receive the proposal_bond specified in Contract.policy returned by the function internal_return_bonds when the proposal is executed or rejected.
sputnikdao2/src/proposals.rs #Line 288
Fix: Change
to an assert_eq - so the attached deposit is not different than bond.
Description: When a proposer calls the function add_proposal to add a new proposal, he or she may attach more NEAR tokens than the proposal_bond specified in Contract.policy . sputnikdao2/src/proposals.rs #Line 484
However, this contract does not individually record the actual NEAR tokens deposited for each proposer, but simply accumulates these amounts into the balance of Contract.locked_amount . As a result, such proposers can only receive the proposal_bond specified in Contract.policy returned by the function internal_return_bonds when the proposal is executed or rejected. sputnikdao2/src/proposals.rs #Line 288
Impact: NEAR tokens deposited by the proposer may be locked in this contract.