bitn8
commented
2 years ago This is not a bug.
Closed code423n4 closed 2 years ago
bitn8
commented
2 years ago This is not a bug.
albertchon
commented
2 years ago Agreed, not a bug
Lines of code
https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/anchor-token-contracts/contracts/gov/src/contract.rs#L364-L455 https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/anchor-token-contracts/contracts/gov/src/contract.rs#L582-L665 https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/anchor-token-contracts/contracts/gov/src/staking.rs#L15-L116
Vulnerability details
Impact
There seems to be an edge case where a user can cast a vote and end a poll within the same block. As such, this exposes several attack vectors but more specifically a case where a user can use a flashloan to stake ANC tokens, vote on a poll, end the poll and withdraw their staked tokens in a single transaction. This may allows users to execute arbitrary proposals, assuming their are more liquid ANC tokens than staked ANC tokens.
Proof of Concept
Let's consider the following scenario:
end_poll()has checka_poll.end_height > env.block.heightto see if the voting period is active andcast_vote()has checkenv.block.height > a_poll.end_heightto see if the voting period has elapsed. We can satisfy both of these cases whenenv.block.height = a_poll.end_height. As such, we can cast a vote and end the poll in the same block.Tools Used
Manual code review.
Recommended Mitigation Steps
Consider updating one of the two checks in
end_poll()orcast_vote()such that there is no crossover between the two checks. There should be no way to stake tokens, cast a vote, end the poll and withdraw staked tokens, so it might also be useful to prevent staking and withdrawing ANC tokens within a single block.