Last updated
Was this helpful?
Submitted on May 14th 2024 at 15:36:44 UTC by @xBentley for
Report ID: #31189
Report type: Smart Contract
Report severity: High
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
When voting, the algorithm used to allocate weights to pools does not use up all available voting power for the token. This can disadvantage some voters leading to skewed voting.
When voting, weights for each pool are allocated proportionally, https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/Voter.sol#L432:
This calculation leaves out some amounts unallocated since Solidity will round down the calculation making _totalWeight to be less than totalPower. Actually the code does not check that the totalPower available has been used up. Consider this scenario:
totalPower = 500 weight1 = 10 weight2 = 50 weight3 = 75
poolWeight1 = (10 * 500)/135 = 37 poolWeight2 = (50 * 500)/135 = 185 poolWeight3 = (75 * 500)/135 = 277
total voting power used = 499.
Voters who will be affected by the rounding down might not be able to apply all available voting power, compared to other voters who, for example, pass in single parameters. This might lead to skewed voting results where the final tally is determined by a small difference between nays and ayes.
https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/Voter.sol#L432
##Recommendation I would recommend that the weight for the last pool be allocated via Subtraction and not division, thus src/Voter.sol::Ln432:
Add this test to src/test/Voting.t.sol:
Due to Solidity rounding down, the total power applied is less than available for the token.
