yixxas - solvent() is implemented wrongly

[github-actions]

yixxas

medium

solvent() is implemented wrongly

Summary

solvent() is can be used to check the solvency of a bounty. However, the current implementation is wrong and will return an incorrect or misleading result.

Vulnerability Detail

solvent() can currently only be used on ongoing bounty despite what is documented as reported in one of my other issue. In ongoing bounty, payoutVolume is the amount that is paid to each contributor.

solvent() checks for balance >= bounty.payoutVolume(). We are checking if total balance of token in the contract is higher than a SINGLE payout. This means that the bounty is deemed solvent as long as contract is able to pay a single contributor. This is incorrect.

function solvent(string calldata _bountyId) external view returns (bool) {
	IBounty bounty = getBounty(_bountyId);

	uint256 balance = bounty.getTokenBalance(bounty.payoutTokenAddress());
	return balance >= bounty.payoutVolume();
}

Impact

Wrong implementation of solvent() results in a wrong return value in most cases.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/OpenQ/Implementations/OpenQV1.sol#L408-L413

Tool used

Manual Review

Recommendation

We should check the balance with the total number of contributors * payoutVolume to get the correct check.

[FlacoJones]

This is never called anywhere on or off chain actually. will fix by removing

[FlacoJones]

OpenQDev/OpenQ-Contracts#112

[hrishibhat]

Considering this issue as low this function is view only and not used anywhere.