Closed code423n4 closed 2 years ago
targets.length is limited to proposalMaxOperations when proposing the proposal. https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L208 https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L91-L92 So I think the number of targets; hence the boundary of the for loop, is already limited.
agree with @catchup99 don't see a scenario where these functions would run out of gas
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L285-L292 https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L323-L330 https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L346-L356 https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L374-L382 https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOInterfaces.sol#L286
Vulnerability details
Impact
The functions
queue()
,execute()
,cancel()
andveto()
contain unbounded loops, which can cause transactions to consume more gas than the block limit (run out of gas) and revert. Since these functions are critical for the proposals flow, this could impact the availability of the protocol.Proof of Concept
proposals.targets.length
andtargets
is a dynamic-size array of addresses.https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L285-L292
https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L323-L330
https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L346-L356
https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L374-L382
https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOInterfaces.sol#L286
Through a user mismake or through an attack vector, a proposal
targets
grows too large and interating over all of it's items consumes an amount gas larger than what's available. (Note: An user mistake would be more likelly than an attack vector, because the attacker would only harm his own proposal. However, the possibility of an attack vector should not ignored).The operations queue, execute, cancel and veto will not be avaiable for such propotal.
Tools Used
Manual review
Recommended Mitigation Steps
One way to solve this issue is to limit the amount of
targets
that can be added of eachproposal
.Another solution would be add a slice functionality into the functions
queue()
,execute()
,cancel()
andveto()
, to enable iterations on only a subsection oftargets
, instead of the entire array. This could be done by adding astartIndex
andendIndex
as function arguments.