First Flight #6: Voting Booth
First Flight #6
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

If there is a “Against" vote, the distribution amount is incorrect. As a result, ETH is locked to the contract.

innertia

Summary

When the “For" votes outweigh the “Against" votes, the funds are sent to those who voted “For" . If everyone votes “For" there is no problem, but the calculation of the amount when there are “Against” votes is incorrect.

Vulnerability Details

In the _distributeRewards() function, uint256 rewardPerVoter = totalRewards / totalVotes; is calculated and rewardPerVoter is sent to the VotesFor person. However, since uint256 totalVotes = totalVotesFor + totalVotesAgainst; is calculated, ETH is locked into the contract without being transferred for the amount of totalVotesAgainst.
The POC is as follows. This test fails.

function testVotePassesIncludingAgainstAndMoneyIsSent() public {
console.log("startingBalance", address(booth).balance);
vm.prank(address(0x1));
booth.vote(true);
vm.prank(address(0x2));
booth.vote(true);
vm.prank(address(0x3));
booth.vote(false);
console.log("endingBalance", address(booth).balance);
assert(!booth.isActive() && address(booth).balance == 0);
}

Impact

The appropriate amount is not transferred and ETH is locked to the contract.

Tools Used

Manual

Recommendations

uint256 rewardPerVoter = totalRewards / totalVotesFor;

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

VotingBooth._distributeRewards(): Incorrect computation of rewardPerVoter

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.