Omniscia Olive Audit
VoteOlive Manual Review Findings
VoteOlive Manual Review Findings
VOE-01M: System Voting Power Desynchronization
Type | Severity | Location |
---|---|---|
Logical Fault | VoteOlive.sol:L231-L245 |
Description:
The setVoteMultipliers
function will adjust the vote multiplier but will not update each user's existing vote.
Example:
231function setVoteMultiplers(VoteTokenMultipler[] memory multipliers) public override onlyOwner {232 uint256 votingTokenLength = votingTokens.length;233 if (votingTokenLength > 0) {234 for (uint256 i = votingTokenLength; i > 0; i--) {235 votingTokens.pop();236 }237 }238
239 for (uint256 i = 0; i < multipliers.length; i++) {240 voteMultipliers[multipliers[i].token] = multipliers[i].multiplier;241 votingTokens.push(multipliers[i].token);242 }243
244 emit VoteMultipliersSet(multipliers);245}
Recommendation:
We advise the system's voting to be revised to instead rely on a more straightforward and dynamic vote evaluation system to avoid such a desynchronization from occuring.
Alleviation:
The relevant function is no longer present in the codebase rendering this exhibit null.
VOE-02M: Inexistent Access Control of Event Emission
Type | Severity | Location |
---|---|---|
Logical Fault | VoteOlive.sol:L286 |
Description:
The updateBalance
function is meant to emit a unique WithdrawalRequestApplied
event that off-chain processes are meant to react to yet it does not impose any access control.
Example:
286function updateBalance(bytes32 eventType, address account) external override {287 address[] memory accounts = new address[](1);288 accounts[0] = account;289
290 updateUserVoteTotals(accounts);291
292 if (eventType == EVENT_TYPE_WITHDRAWALREQUEST) {293 UserVotes memory postVotes = getUserVotes(account);294 emit WithdrawalRequestApplied(account, postVotes);295 }296}
Recommendation:
We advise some form of access control to be imposed to ensure the event is only emitted under the right circumstances as otherwise the off-chain services may become corrupted.
Alleviation:
The function now properly applies access control via the onlyStaking
modifier alleviating this exhibit.