Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction
Summary
Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction
1. Bug Title: Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction
2. Trigger Condition: This bug can be triggered when:
A collection shutdown process has been initiated using start().
Users have voted, and the required quorum (shutdownVotes >= quorumVotes) for the shutdown has been achieved, setting params.canExecute = true.
Before the owner of the CollectionShutdown contract calls execute() to proceed with the shutdown, one or more users decide to reclaim their votes by calling reclaimVote().
3. PoC Flow:
Start Shutdown: A user calls start(collectionAddress) initiating a collection shutdown process.
Users Vote: Multiple users holding CollectionToken for the given collection call vote(collectionAddress). Their votes are accumulated in shutdownVotes, eventually exceeding quorumVotes, setting params.canExecute = true.
User Reclaims Vote: At least one of the voting users, before the owner calls execute(), changes their mind and calls reclaimVote(collectionAddress). Their votes are deducted from shutdownVotes, potentially causing it to drop below quorumVotes.
Owner Executes Shutdown: The CollectionShutdown contract owner calls execute(collectionAddress, tokenIds). The execute function checks if canExecute is true (it still is, from step 2) but finds that shutdownVotes might be less than quorumVotes due to the vote reclaim in step 3.
Shutdown Failure: The execute function reverts with ShutdownNotReachedQuorum() even though enough users initially voted in favor of the shutdown, hindering the collection's sunsetting process.
4. Detailed Impact:
Blocked Shutdown: The collection intended for shutdown cannot be properly liquidated and removed from the Flayer platform. This impacts both users wanting to exit the collection and the overall efficiency of the platform.
Inconsistency: The bug creates an inconsistency between the status of the collection (perceived as ready for execution due to canExecute = true) and the actual votes remaining.
Potential Misuse: While not a direct exploit, a malicious actor could, in theory, repeatedly initiate shutdowns, encourage voting to reach quorum, and then quickly reclaim votes to prevent execution. This would unnecessarily burden the platform and potentially disrupt the intended usage of CollectionShutdown.
5. Code Snippet (reclaimVote function):
function reclaimVote(address _collection) public whenNotPaused {
// If the quorum has passed, then we can no longer reclaim as we are pending
// an execution.
CollectionShutdownParams storage params = _collectionParams[_collection];
if (params.canExecute) revert ShutdownQuorumHasPassed();
// Get the amount of votes that the user has cast for this collection
uint userVotes = shutdownVoters[_collection][msg.sender];
// If the user has not cast a vote, then we can revert early
if (userVotes == 0) revert NoVotesPlacedYet();
// We delete the votes that the user has attributed to the collection
params.shutdownVotes -= uint96(userVotes);
delete shutdownVoters[_collection][msg.sender];
// We can now return their tokens
params.collectionToken.transfer(msg.sender, userVotes);
// Notify our stalkers that a vote has been reclaimed
emit CollectionShutdownVoteReclaim(_collection, msg.sender, userVotes);
}
In Conclusion: This bug poses a significant risk to the smooth functioning of the CollectionShutdown mechanism. By wrongly restricting vote reclaims based solely on reaching quorum instead of actual execution, the code creates a vulnerability to inconsistent state and potentially disrupted shutdowns. Addressing this logic error is crucial to ensure proper and predictable execution of collection sunsetting in Flayer.
Rough Corduroy Eagle
High
Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction
Summary
Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction
1. Bug Title: Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction
2. Trigger Condition: This bug can be triggered when:
start().shutdownVotes >= quorumVotes) for the shutdown has been achieved, settingparams.canExecute = true.CollectionShutdowncontract callsexecute()to proceed with the shutdown, one or more users decide to reclaim their votes by callingreclaimVote().3. PoC Flow:
start(collectionAddress)initiating a collection shutdown process.CollectionTokenfor the given collection callvote(collectionAddress). Their votes are accumulated inshutdownVotes, eventually exceedingquorumVotes, settingparams.canExecute = true.execute(), changes their mind and callsreclaimVote(collectionAddress). Their votes are deducted fromshutdownVotes, potentially causing it to drop belowquorumVotes.CollectionShutdowncontract owner callsexecute(collectionAddress, tokenIds). Theexecutefunction checks ifcanExecuteis true (it still is, from step 2) but finds thatshutdownVotesmight be less thanquorumVotesdue to the vote reclaim in step 3.executefunction reverts withShutdownNotReachedQuorum()even though enough users initially voted in favor of the shutdown, hindering the collection's sunsetting process.4. Detailed Impact:
canExecute = true) and the actual votes remaining.CollectionShutdown.5. Code Snippet (
reclaimVotefunction):In Conclusion: This bug poses a significant risk to the smooth functioning of the
CollectionShutdownmechanism. By wrongly restricting vote reclaims based solely on reaching quorum instead of actual execution, the code creates a vulnerability to inconsistent state and potentially disrupted shutdowns. Addressing this logic error is crucial to ensure proper and predictable execution of collection sunsetting in Flayer.Root Cause
No response
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
No response
PoC
No response
Mitigation
No response