Submission Details
Severity:
rewardPerVoter is computed as if all voters received a reward
Summary
rewardPerVoter is wrongly computed
Vulnerability Details
The reward per voter is calculated as if all voters received a reward, whereas only those who voted for are entitled to the reward.
File: src/VotingBooth.sol
192: uint256 rewardPerVoter = totalRewards / totalVotes;
Proof of Concept
Place the code for the following test function in test/VotingBoothTest.t.sol.
function test_WrongRewardPerVoter() public {
uint256 totalRewards = address(booth).balance;
uint256 votersFor;
uint256 votersAgainst;
vm.prank(address(0x1));
booth.vote(true);
votersFor += 1;
vm.prank(address(0x2));
booth.vote(true);
votersFor += 1;
vm.prank(address(0x3));
booth.vote(false);
votersAgainst += 1;
vm.prank(address(0x4));
booth.vote(true);
votersFor += 1;
uint256 totalVotes = votersFor + votersAgainst;
uint256 originalRewardPerVoter = totalRewards / votersFor;
uint256 currentRewardPerVoter = totalRewards / totalVotes;
assertGe(originalRewardPerVoter, currentRewardPerVoter);
}
In the terminal, run the following command:
forge test --mt test_WrongRewardPerVoter
Impact
For voters receive less than they should.
Tools Used
Manual review
Recommendations
Make following changes
- uint256 rewardPerVoter = totalRewards / totalVotes;
+ uint256 rewardPerVoter = totalRewards / totalVotesFor;
Updates
Lead Judging Commences
0xnevi almost 2 years ago
Submission Judgement Published Assigned finding tags:
VotingBooth._distributeRewards(): Incorrect computation of rewardPerVoter
Rewards breakdown
This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.