search

sherlock-audit / 2023-04-ajna-judging

4 stars 3 forks source link

josephdara - Early vote cutoff #80

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

josephdara

medium

Early vote cutoff

Summary

In GrantFund.sol the function propose does not follow it's specification. New proposals cannot be added immediately after the Screening Period which filters out the top 10 projects to be Funded However the code and comments conflict 

    /// @inheritdoc IGrantFundActions
    function propose(
        address[] memory targets_,
        uint256[] memory values_,
        bytes[] memory calldatas_,
        string memory description_
    ) external override returns (uint256 proposalId_) {
        // check description string isn't empty
        if (bytes(description_).length == 0) revert InvalidProposal();

        proposalId_ = _hashProposal(targets_, values_, calldatas_, _getDescriptionHash(description_));

        Proposal storage newProposal = _proposals[proposalId_];

        // check for duplicate proposals
        if (newProposal.proposalId != 0) revert ProposalAlreadyExists();

        DistributionPeriod storage currentDistribution = _distributions[_currentDistributionId];
//@audit-issue Screening stage end is in 73 days
        // cannot add new proposal after end of screening period
        // screening period ends 72000 blocks before end of distribution period, ~ 80 days.
        if (block.number > _getScreeningStageEndBlock(currentDistribution.startBlock)) revert ScreeningPeriodEnded();

Vulnerability Detail

We see that the block.number is compared against the currentDistribution startBlock. 

    function _getScreeningStageEndBlock(
        uint256 startBlock_
    ) internal pure returns (uint256) {
        return startBlock_ + SCREENING_PERIOD_LENGTH;
    }

This calculates 73 days from distribution not the 80 days from the startBlock. 80 days signify the end of screening and funding votes

Impact

https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-grants/src/grants/base/Storage.sol#L38-L43 https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-grants/src/grants/GrantFund.sol#L134-L143 https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-grants/src/grants/GrantFund.sol#L309-L313

Code Snippet

Tool used

Manual Review

Recommendation

Check and update code if it is 80 days, or update comments if it is 73 days

grandizzy commented 1 year ago

There were outdated comments in the code which are fixed in https://github.com/ajna-finance/ecosystem-coordination/pull/119. We consider this a QA issue though with zero risk.

0xffff11 commented 1 year ago

Agree with sponsor, this should be Informational/low because it has no real impact