Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minato7namikazi - Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction #783

Open
sherlock-admin4 opened this issue Sep 15, 2024 · 0 comments
Open

Minato7namikazi - Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction #783

sherlock-admin4 opened this issue Sep 15, 2024 · 0 comments

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Sep 15, 2024
edited by sherlock-admin2
Loading

Minato7namikazi

High

Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction

Summary

Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction

1. Bug Title: Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction

2. Trigger Condition: This bug can be triggered when:

  • A collection shutdown process has been initiated using start().
  • Users have voted, and the required quorum (shutdownVotes >= quorumVotes) for the shutdown has been achieved, setting params.canExecute = true.
  • Before the owner of the CollectionShutdown contract calls execute() to proceed with the shutdown, one or more users decide to reclaim their votes by calling reclaimVote().

3. PoC Flow:

  1. Start Shutdown: A user calls start(collectionAddress) initiating a collection shutdown process.
  2. Users Vote: Multiple users holding CollectionToken for the given collection call vote(collectionAddress). Their votes are accumulated in shutdownVotes, eventually exceeding quorumVotes, setting params.canExecute = true.
  3. User Reclaims Vote: At least one of the voting users, before the owner calls execute(), changes their mind and calls reclaimVote(collectionAddress). Their votes are deducted from shutdownVotes, potentially causing it to drop below quorumVotes.
  4. Owner Executes Shutdown: The CollectionShutdown contract owner calls execute(collectionAddress, tokenIds). The execute function checks if canExecute is true (it still is, from step 2) but finds that shutdownVotes might be less than quorumVotes due to the vote reclaim in step 3.
  5. Shutdown Failure: The execute function reverts with ShutdownNotReachedQuorum() even though enough users initially voted in favor of the shutdown, hindering the collection's sunsetting process.

4. Detailed Impact:

  • Blocked Shutdown: The collection intended for shutdown cannot be properly liquidated and removed from the Flayer platform. This impacts both users wanting to exit the collection and the overall efficiency of the platform.
  • Inconsistency: The bug creates an inconsistency between the status of the collection (perceived as ready for execution due to canExecute = true) and the actual votes remaining.
  • Potential Misuse: While not a direct exploit, a malicious actor could, in theory, repeatedly initiate shutdowns, encourage voting to reach quorum, and then quickly reclaim votes to prevent execution. This would unnecessarily burden the platform and potentially disrupt the intended usage of CollectionShutdown.

5. Code Snippet (reclaimVote function):

 function reclaimVote(address _collection) public whenNotPaused {
    // If the quorum has passed, then we can no longer reclaim as we are pending
    // an execution.
    CollectionShutdownParams storage params = _collectionParams[_collection];
    if (params.canExecute) revert ShutdownQuorumHasPassed();

    // Get the amount of votes that the user has cast for this collection
    uint userVotes = shutdownVoters[_collection][msg.sender];

    // If the user has not cast a vote, then we can revert early
    if (userVotes == 0) revert NoVotesPlacedYet();

    // We delete the votes that the user has attributed to the collection
    params.shutdownVotes -= uint96(userVotes);
    delete shutdownVoters[_collection][msg.sender];

    // We can now return their tokens
    params.collectionToken.transfer(msg.sender, userVotes);

    // Notify our stalkers that a vote has been reclaimed
    emit CollectionShutdownVoteReclaim(_collection, msg.sender, userVotes);
}

In Conclusion: This bug poses a significant risk to the smooth functioning of the CollectionShutdown mechanism. By wrongly restricting vote reclaims based solely on reaching quorum instead of actual execution, the code creates a vulnerability to inconsistent state and potentially disrupted shutdowns. Addressing this logic error is crucial to ensure proper and predictable execution of collection sunsetting in Flayer.

Root Cause

No response

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

No response

PoC

No response

Mitigation

No response
@sherlock-admin2 sherlock-admin2 changed the title Rough Corduroy Eagle - Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction Minato7namikazi - Inaccurate Quorum Calculation in Collection Shutdown due to Premature Vote Reclaim Restriction Oct 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4