search

code-423n4 / 2021-04-vader-findings

1 stars 0 forks source link

A proposal can be cancelled by anyone #298

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

s1m0

Vulnerability details

Impact

A proposal can be cancelled by anyone if only exist another proposal with the same type and hasMinority() (has > 16% votes).

Proof of Concept

1 voteProposal() assume this vote trigger _finalise(). _finalise() set mapPID_finalising[_proposalID] = true 2 cancelProposal()

This works only if cancelProposal is called before finaliseProposal() but the require on line 112 helps giving the attacker at least 1 block of advantage because cancelProposal() doesn't have requirement of time and can be called in the same block of step 1.

Tools Used

Manual analysis

Recommended Mitigation Steps

Rethink the design of cancelProposal(). One idea that came to my mind would be to have more than 1 person to call cancelProposal() to be valid e.g. 1% of the votes for the newProposal + a number of different address who voted in the newProposal because 1 address could have 1% of the votes.

strictly-scarce commented 3 years ago

https://github.com/code-423n4/2021-04-vader-findings/issues/227

0xBrian commented 3 years ago

https://github.com/vetherasset/vaderprotocol-contracts/pull/127/commits/c5fcb890d49115c9aa9cb767737c5d8c13a44b90

dmvt commented 3 years ago

duplicate of #227