Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Energetic Honeysuckle Leopard - Incorrect Initial Liquidity Calculation in ReputationMarket::initialize() #719

Open
sherlock-admin2 opened this issue Dec 5, 2024 · 0 comments
Open

Energetic Honeysuckle Leopard - Incorrect Initial Liquidity Calculation in ReputationMarket::initialize() #719

sherlock-admin2 opened this issue Dec 5, 2024 · 0 comments

Comments

@sherlock-admin2
Copy link
Contributor

Energetic Honeysuckle Leopard

High

Incorrect Initial Liquidity Calculation in ReputationMarket::initialize()

Summary

No response

Root Cause

The initialize function in the ReputationMarket contract defines three market tiers with specific initial liquidity values.

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/57c02df7c56f0b18c681a89ebccc28c86c72d8d8/ethos/packages/contracts/contracts/ReputationMarket.sol#L201C3-L254C4

 function initialize(
    address owner,
    address admin,
    address expectedSigner,
    address signatureVerifier,
    address contractAddressManagerAddr
  ) external initializer {
    __accessControl_init(
      owner,
      admin,
      expectedSigner,
      signatureVerifier,
      contractAddressManagerAddr
    );
    __UUPSUpgradeable_init();
    enforceCreationAllowList = true;
    // Default market configurations:

    // Default tier
    // - Minimum viable liquidity for small/new markets
    // - 0.002 ETH initial liquidity
    // - 1 vote each for trust/distrust (volatile price at low volume)
    marketConfigs.push(
      MarketConfig({
        initialLiquidity: 2 * DEFAULT_PRICE,//@audit-here it sets as 2*0.01=0.02eth and not 0.002eth as mentioned above
        initialVotes: 1,
        basePrice: DEFAULT_PRICE
      })
    );

    // Deluxe tier
    // - Moderate liquidity for established profiles
    // - 0.05 ETH initial liquidity
    // - 1,000 votes each for trust/distrust (moderate price stability)
    marketConfigs.push(
      MarketConfig({
        initialLiquidity: 50 * DEFAULT_PRICE,//@check - here it is declaring 50*0.01 = 0.5eth instead of 0.05 as mentioned above
        initialVotes: 1000,
        basePrice: DEFAULT_PRICE
      })
    );

    // Premium tier
    // - High liquidity for stable price discovery
    // - 0.1 ETH initial liquidity
    // - 10,000 votes each for trust/distrust (highly stable price)
    marketConfigs.push(
      MarketConfig({
        initialLiquidity: 100 * DEFAULT_PRICE,//@check - here it is defining as 1eth instead of 0.1eth
        initialVotes: 10000,
        basePrice: DEFAULT_PRICE
      })
    );
  }

However, the actual implementation sets the initial liquidity to values that are significantly higher than those mentioned in the comments. This discrepancy affects all tiers:

  • Default Tier: Comment states 0.002 ETH, but implementation sets it to 0.02 ETH.
  • Deluxe Tier: Comment states 0.05 ETH, but implementation sets it to 0.5 ETH.
  • Premium Tier: Comment states 0.1 ETH, but implementation sets it to 1 ETH.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Users need to provide more ETH than expected to create a market, potentially limiting participation.

PoC

No response

Mitigation

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2