Skip to content

Latest commit

 

History

History
42 lines (24 loc) · 1.19 KB

052.md

File metadata and controls

42 lines (24 loc) · 1.19 KB

Amusing Plastic Fox

Medium

A user can have less votes than minimum votes that he specified

Summary

A user can have fewer votes than the specified minimum if they set a maxVotes value that is lower than the minimum number of votes.

Root Cause

In buyVotes, there is no check to ensure that maxVotesToBuy is greater than minVotesToBuy, as we can see here : https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L440-L449 which means the purchased votes will be less than or equal to maxVotesToBuy and, therefore, less than minVotesToBuy as we can see here : https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L452-L467

Internal Pre-conditions

None.

External Pre-conditions

None.

Attack Path

  1. Bob wants to buy some votes from a market.
  2. He want to disable the maxvotes so he set the maxVotesToBuy to 0.
  3. He get absolutely no votes from the call.

Impact

The user will not get the votes he wants.

PoC

No response

Mitigation

Add a check with a custom error that will ensure that the minimum is less than the maximum of votes.