The functions of creating new DAO proposals (e.g., newActionProposal) are permissionless. Anyone can create a new proposal by paying some fees in SPARTA, as long as the previous proposal is closed. Thus, an attacker could then front-run proposals of benign users to prevent their proposals from being created. Moreover, the only way to close the malicious proposal without completing it is to wait for it to expire (15 days long). The attacker only needs to front-run benign DAO proposals every 15 days to effectively perform a DoS attack on the DAO.
SamusElderg
commented
3 years ago
Handle
shw
Vulnerability details
Impact
The functions of creating new DAO proposals (e.g.,
newActionProposal) are permissionless. Anyone can create a new proposal by paying some fees in SPARTA, as long as the previous proposal is closed. Thus, an attacker could then front-run proposals of benign users to prevent their proposals from being created. Moreover, the only way to close the malicious proposal without completing it is to wait for it to expire (15 days long). The attacker only needs to front-run benign DAO proposals every 15 days to effectively perform a DoS attack on the DAO.Proof of Concept
Referenced code: Dao.sol#L310 Dao.sol#L319 Dao.sol#L329 Dao.sol#L339 Dao.sol#L352 Dao.sol#L407
Recommended Mitigation Steps
Add a function that allows the deployer to remove malicious proposals directly in case this attack happens.