First Flight #6: Voting Booth
First Flight #6
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Some rewards are kept in the contract when not all votes are true

skyhunter

Summary

When the quorum has been reached, the proposal has passed and the funds are being distributed, the rewardPerVoter is divided by the total amount of voters instead of the voters instead of the amount of the 'for' voters thus leaving some ETH inside the contract after distribution in case not everyone voted 'for'.

Vulnerability Details

There are no functions to withdraw ETH from the contract and variables cannot be re-initialized so the remaining ETH will stay permanently locked inside the contract and all it takes is 1 vote 'against'. As a poc you can add this test to VotingBoothTest.t.sol and verify that the test fails:

function testVotePassesAndAllMoneyIsSent() public {
vm.prank(address(0x1));
booth.vote(true);
vm.prank(address(0x2));
booth.vote(false);
vm.prank(address(0x3));
booth.vote(true);
assert(address(booth).balance == 0);
}

Impact

The 'for' voters don't get as much reward as they should get, and the creator is losing funds as well as they will be locked inside the contract permanently

Tools Used

VSCodium, foundry and manual check

Recommendations

Divide the totalRewards by totalVotesFor instead of totalVotes

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

VotingBooth._distributeRewards(): Incorrect computation of rewardPerVoter

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.