​

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/TempleGoldStaking.sol#L231-L243

​

​

The provided code for the binary search in `TempleGoldStaking::getPriorVotes` has three critical errors: the incorrect calculation of the `center` (which always results in zero for certain scenarios), an incorrect update of the `lower` value (leading to potential infinite loops or missed block numbers), and a faulty `while` condition that prevents reaching the maximum `upper` value (causing the search to stop prematurely). These errors can cause a Denial of Service (DoS) vulnerability by making it impossible to accurately determine the prior number of votes for an account at a specific block number.

​

​

Wrong mechanism for searching the specific blockNumber to search for the votes at spesific blockNumber checkpoint in `TempleGoldStaking::getPriorVotes`.

​

​

There are at least three issues in this mechanism that lead to errors:

​

​

​

Lets have a scenario where:

​

* `nCheckpoints` is 5 and then `upper` is 4 (nCheckpoints - 1).

* `lower` is 0.

​

In this scenario, `center` will be `4 - (4 - 0) / 2` -> 0. `center` value will always be zero because basically upper will always be decremented with upper because lower is zero which will results zero.

​

​

} else if (cp.fromBlock < blockNumber) {

​

Lets have a scenario where:

​

* Checkpoint.fromBlock = [1,2,3,4,5].

* `blockNumber` is 5.

* `nCheckpoints` is 5 and then `upper` is 4 (nCheckpoints - 1).

* `lower` is 2.

* Second lower has been set to 3 (`center` is 3 (lower is 2, upper is 4))

* Third lower has been set to 3 (`center` is 3 (lower is 3, upper is 4)). The `center` will be 3 again because `(4 + 3) / 2 = 3.5` and it will be automatically rounded down.

* At the end, the intended blockNumber (4th epoch) will not be reached.

​

​

​

Lets have a scenario where:

​

* Checkpoint.fromBlock = [1,2,3,4,5].

* `blockNumber` is 5.

* `nCheckpoints` is 5 and then `upper` is 4 (nCheckpoints - 1).

* `center` is 2.

* `lower` is 3.

* Second lower has been set to 3 (`center` is 3 (lower is 3, upper is 4)).

* Because of the wrong `while` statement. The calculation stops here and the intended blockNumber (4th epoch) will not be reached.

​

​

This error causes a Denial Of Service (DoS) vulnerabilities to determine the prior number of votes for an account as of a block number. This vulnerabilities makes `TempleGoldStaking::getPriorVotes` only working for zero index epoch.

​

​

Manual Review

​

​

- while (upper > lower) {

+ while (upper >= lower) {

- uint256 center = upper - (upper - lower) / 2; // ceil, avoiding overflow

+ uint256 center = upper + lower / 2; // ceil, avoiding overflow

- lower = center;

+ lower = center + 1;