code-423n4 / 2021-04-vader-findings

1 stars 0 forks source link

Lack of input validation lets anyone cancel any finalising proposal in DAO.sol #184

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

0xRajeev

Vulnerability details

Impact

Anyone can cancel any finalising stage proposal by simply using newProposalID equal to an existing (oldProposalID) finalising proposal of their choice. All checks (finalising, hasMinority, isEqual) will pass for the call cancelProposal(oldProposalID, oldProposalID) because the oldProposalID has minority support (L104 check) as it’s already finalising and L105 check will also pass.

There is no need to create and vote on a new proposal with newProposalID that has minority support and has the same type string as the oldProposalID, to allow the canceling of the proposal with oldProposalID.

Proof of Concept

https://github.com/code-423n4/2021-04-vader/blob/3041f20c920821b89d01f652867d5207d18c8703/vader-protocol/contracts/DAO.sol#L102-L108

Tools Used

Manual Analysis

Recommended Mitigation Steps

Perform input validation on parameters to check that newProposalID != oldProposalID in cancelProposal().

strictly-scarce commented 3 years ago

https://github.com/code-423n4/2021-04-vader-findings/issues/227

0xBrian commented 3 years ago

https://github.com/vetherasset/vaderprotocol-contracts/pull/127/commits/c5fcb890d49115c9aa9cb767737c5d8c13a44b90

dmvt commented 3 years ago

duplicate of #227