Skip to content

Latest commit

 

History

History
49 lines (38 loc) · 1.64 KB

063.md

File metadata and controls

49 lines (38 loc) · 1.64 KB

Rich Charcoal Sardine

Medium

Improper slippage check in the ReputationMarket.sellVotes function.

Summary

In the ReputationMarket.sellVotes function, a slippage check is done by using proceedsBeforeFees. However, the actual amount given to the user is proceedsAfterFees, not proceedsBeforeFees.

Root Cause

In the ReputationMarket.sellVotes function, a slippage check is done by using proceedsBeforeFees. https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L553-L556

553:  uint256 pricePerVote = votesToSell > 0 ? proceedsBeforeFees / votesToSell : 0;
      if (pricePerVote < minimumVotePrice) {
        revert SellSlippageLimitExceeded(minimumVotePrice, pricePerVote);
      }

However, the actual amount given to the user is proceedsAfterFees, not proceedsBeforeFees. https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L567

    _sendEth(proceedsAfterFees);

So, slippage check is not done properly.

Internal pre-conditions

none

External pre-conditions

none

Attack Path

none

Impact

Improper slippage check

PoC

Mitigation

proceedsAfterFees should be used instead of proceedsBeforeFees in slippage check of the ReputationMarket.sellVotes function.

-    uint256 pricePerVote = votesToSell > 0 ? proceedsBeforeFees / votesToSell : 0;
+    uint256 pricePerVote = votesToSell > 0 ? proceedsAfterFees / votesToSell : 0;
    if (pricePerVote < minimumVotePrice) {
      revert SellSlippageLimitExceeded(minimumVotePrice, pricePerVote);
    }