search

OriginProtocol / origin-dollar

OUSD and OETH are stablecoins that passively accrue yield while you are holding it
https://originprotocol.com
MIT License
122 stars 79 forks source link

Governor proposal creation may be blocked by frontrunning #1609

Open naddison36 opened 1 year ago

naddison36 commented 1 year ago

Open Zeppelin has issued the following security advisory:

Affected packages: >=4.3.0 <4.9.1 Patched version: 4.9.1

Origin's ousd-governance repo is using OZ v4.6.0. A modified versions of the OZ Governance contracts are being used.

Analysis needs to be done to see if the OZ change needs to be applied to the modified Origin governance contracts.

OpenZeppelin commit that addresses the issue: https://github.com/OpenZeppelin/openzeppelin-contracts/commit/d9474327a492f9f310f31bc53f38dbea56ed9a57

sparrowDom commented 1 year ago

Added the commit that addresses the issue to above description

sparrowDom commented 1 year ago

The analysis: Our Governance contract that calls propose imports GovernorCompatibilityBravo. That one imports OZ's 4.6.0 Governor.

This means that our proposal creations could be front-run. Until we upgrade the contracts to 4.9.1 we are vulnerable to the attack.

sparrowDom commented 1 year ago

We will need to re-deploy the Governance contract: