Closed code423n4 closed 2 years ago
I think this will not work since eta will be different in both proposals (if you queue a proposal, eta changes and hash is calculated based on this new eta) Also if both proposals are queued simultaneously to get same eta then also it will fail since queue does not allow duplicate transactions
Also if both proposals are queued simultaneously to get same eta then also it will fail since queue does not allow duplicate transactions
Right. This line would revert https://github.com/code-423n4/2022-08-nounsdao/blob/45411325ec14c6d747b999a40367d3c5109b5a89/contracts/governance/NounsDAOLogicV2.sol#L313
Maybe the inability to add two proposals that have the same tx can be a low risk issue. But this submission fails to explore that.
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/45411325ec14c6d747b999a40367d3c5109b5a89/contracts/governance/NounsDAOLogicV2.sol#L346
Vulnerability details
Impact
In
NounsDAOLogicV1
andNounsDAOLogicV2
, anyone can create proposal with the same actions as other proposal. In that case, if attacker callscancel()
on his proposal, then other proposal with the same action cannot be executed.Proof of Concept
Function
cancel()
callcancelTransaction()
ontimelock
In
cancelTransaction()
, the hash of action is used to mark the action, Line 137When other proposal is
execute()
, if its action is marked asfalse
on timelock thenexecuteTransaction()
will reverted, resulting inexecute()
function revert. Line 152Tools Used
Manual Review
Recommended Mitigation Steps
Add proposal id in params when queueing and executing on timelock