A proposal can be cancelled by anyone if only exist another proposal with the same type and hasMinority() (has > 16% votes).
Proof of Concept
1 voteProposal() assume this vote trigger _finalise().
_finalise() set mapPID_finalising[_proposalID] = true
2 cancelProposal()
This works only if cancelProposal is called before finaliseProposal() but the require on line 112 helps giving the attacker at least 1 block of advantage because cancelProposal() doesn't have requirement of time and can be called in the same block of step 1.
Tools Used
Manual analysis
Recommended Mitigation Steps
Rethink the design of cancelProposal().
One idea that came to my mind would be to have more than 1 person to call cancelProposal() to be valid e.g. 1% of the votes for the newProposal + a number of different address who voted in the newProposal because 1 address could have 1% of the votes.
Handle
s1m0
Vulnerability details
Impact
A proposal can be cancelled by anyone if only exist another proposal with the same type and hasMinority() (has > 16% votes).
Proof of Concept
1 voteProposal() assume this vote trigger _finalise(). _finalise() set mapPID_finalising[_proposalID] = true 2 cancelProposal()
This works only if cancelProposal is called before finaliseProposal() but the require on line 112 helps giving the attacker at least 1 block of advantage because cancelProposal() doesn't have requirement of time and can be called in the same block of step 1.
Tools Used
Manual analysis
Recommended Mitigation Steps
Rethink the design of cancelProposal(). One idea that came to my mind would be to have more than 1 person to call cancelProposal() to be valid e.g. 1% of the votes for the newProposal + a number of different address who voted in the newProposal because 1 address could have 1% of the votes.