Deep Ruby Troll - Re-Updating Market Votes

[sherlock-admin2]

Deep Ruby Troll

Medium

Re-Updating Market Votes

Summary

This issue is seen in both buyVotes and sellVotes once it updates the market.votes inside _calculateBuy then it updates it again in _calculateBuy

Root Cause

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L442-L534

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L942-L983

Exact Line of code where the re update occurs:
https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L467

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L975

Basically we update it once inside _calculateBuy by getting exact market by getting the exact profileId by calling the _calculateBuy inside the buyVotes and sellVotes functions

(
      uint256 votesBought,
      uint256 fundsPaid,
      ,
      uint256 protocolFee,
      uint256 donation,
      uint256 minVotePrice,
      uint256 maxVotePrice
    ) = _calculateBuy(markets[profileId], isPositive, msg.value);

and when we update the market inside _calculateBuy

We re-Update it in both buyVotes and sellVotes

markets[profileId].votes[isPositive ? TRUST : DISTRUST] += votesBought;

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

causes re Updating and x2 of the actual amount of votesBought or votesSold

markets[profileId].votes[isPositive ? TRUST : DISTRUST] += votesBought;

PoC

No response

Mitigation

Update it just once after buyVouches or after sellVouches