Submission Details
Severity:
Last voter will pay higher gas.
Vulnerability Details
After quorum is reached, distributeRewards and sendEth function are executed. It means, last voter whose vote is needed to reach quorum will pay much higher gas than other voters.
Impact
Last voter will pay double gas than rest of voters.
PoC
function test_LastVoterWillPayHigherGas() public {
vm.prank(address(0x1));
booth.vote(false);
uint256 gasStartSecondVoter = gasleft();
vm.prank(address(0x2));
booth.vote(true);
uint256 gasEndSecondVoter = gasleft();
uint256 gasStartLastVoter = gasleft();
vm.prank(address(0x3));
booth.vote(true);
uint256 gasEndLastVoter = gasleft();
uint256 gasUsedSecondVoter = gasStartSecondVoter - gasEndSecondVoter;
uint256 gasUsedLastVoter = gasStartLastVoter - gasEndLastVoter;
assert(gasUsedLastVoter > gasUsedSecondVoter);
console.log("Gas used by second voter: ", gasUsedSecondVoter);
console.log("Gas used by last voter: ", gasUsedLastVoter);
}
Test result:
Gas used by second voter: 51467
Gas used by last voter: 115258
Tools Used
Foundry
Recommendations
_distributeRewards might be external function with 'if' statement inside allow to call only if quorum is reached. To keep current logic of the contract, do not forget add 'if' statement in vote function as well to prevent enter the function after the quorum is reached.
Rewards breakdown
This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.