Aggregated contractPCT's can be > 1 Ether #480
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-710
edited-by-warden
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
code423n4
added
2 (Med Risk)
C4-Staff
added a commit
that referenced
this issue
Jan 6, 2023
|
Invalid |
|
GalloDaSballo marked the issue as unsatisfactory: |
c4-judge
added
the
unsatisfactory
c4-judge
added
downgraded by judge
|
Duplicate of #710 |
|
My mistake, the finding is valid, but because of this check revert IncorrectRewardsDistribution();
The finding is QA - Low Severity L |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/ProtocolDAO.sol#L107
Vulnerability details
Impact
The
setClaimingContractPctfunction allows for aggregated percentages > 1 Ether which will result in a revert withinstartRewardsCycleProof of Concept
Currently, the
setClaimingContractPctfunction nicely checks if the provided decimal for the provided contract is <= 1 Ether. However, it does not check if all three used contracts:ClaimMultisig,ClaimNodeOpandClaimProtocolDAOhave an aggregated value <= 1 Ether. If they are >1 Ether, the functionstartRewardsCyclewill always revert in the following line:https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/RewardsPool.sol#L175.Tools Used
VSCode
Recommended Mitigation Steps
Consider checking if all three contracts have an aggregated value <= 1 Ether, if not revert the function.
*This is the first contest i took part, therefore my submissions might not be ideal yet, if there are any questions feel free to contact me directly in discord :-)
The text was updated successfully, but these errors were encountered: