Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/gas refund on set vote #185

Merged
merged 8 commits into from
Jul 4, 2022
Merged

Fix/gas refund on set vote #185

merged 8 commits into from
Jul 4, 2022

Conversation

dcrescimbeni
Copy link
Contributor

Relates to issue #159, and DXD-11 in the audit.

Fixes setVote exploit when voteGas amount is set above the actual gas spent for the function call, enabling voters to get refunded more than what they spent to call the function.

It sets a hard limit of 100.000 gas (~85% of the actual 117.000 gas needed to execute setVote()).

@dcrescimbeni dcrescimbeni marked this pull request as ready for review June 23, 2022 18:14
@rossneilson
Copy link
Collaborator

So we are going with the assumption that gas will be around that cost regardless of chain?

@dcrescimbeni
Copy link
Contributor Author

So we are going with the assumption that gas will be around that cost regardless of chain?

That's the assumption, yes.

If that's not correct, then gas consumption must be calculated every time the function is called.

rossneilson
rossneilson previously approved these changes Jun 28, 2022
View reviewed changes
AugustoL
AugustoL requested changes Jun 28, 2022
View reviewed changes
Copy link
Member

@AugustoL AugustoL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Set the limit to 117 000, not 100 000

@dcrescimbeni
Copy link
Contributor Author

@AugustoL done!

AugustoL
AugustoL requested changes Jun 29, 2022
View reviewed changes
contracts/erc20guild/BaseERC20Guild.sol Outdated
@@ -179,7 +179,7 @@ contract BaseERC20Guild {
require(_proposalTime > 0, "ERC20Guild: proposal time has to be more than 0");
require(_lockTime >= _proposalTime, "ERC20Guild: lockTime has to be higher or equal to proposalTime");
require(_votingPowerForProposalExecution > 0, "ERC20Guild: voting power for execution has to be more than 0");
require(_voteGas <= 100000, "ERC20Guild: vote gas has to be equal or lower than 100.000"); // 100.000 is 85% of the gas amount to execute setVote
require(_voteGas <= 117000, "ERC20Guild: vote gas has to be equal or lower than 117.000");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the . in 117.000 please, use the plain amount 117000, we never used . for numbers and it might be confussing. Also americans use that for decimals, and , for units.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

@dcrescimbeni dcrescimbeni merged commit 5bb84e7 into DXgovernance:develop Jul 4, 2022
@dcrescimbeni dcrescimbeni deleted the fix/gas-refund-on-setVote branch July 4, 2022 02:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rossneilson rossneilson rossneilson approved these changes

@AugustoL AugustoL AugustoL approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dcrescimbeni @rossneilson @AugustoL