There is a function vote in OlympusGovernance smart contract. This function must accept a vote for or against a proposal. But it is possible that someone will wote not for the proposal he expected: this is possible to activate another proposal using logic from the activateProposal function while the voting transaction is not added into some block of the chain. This is very similar to front-running transaction: attacker can send transaction calling activateProposal function with higher gas price than was chosen by the voter for his transaction.
Impact
Voter votes for the proposal that he don't expect instead of the proposal that is active on the moment of sending transaction.
Recommended Mitigation Steps
Add one more input parameter to the vote function: vote(bool for_, uint256 proposalId_). Then you can add an additional check to the vote function that prevents such attack scenario: require(proposalId_ == activeProposal.proposalId).
Lines of code
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/Governance.sol#L240 https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/Governance.sol#L231
Vulnerability details
Description
There is a function
vote
inOlympusGovernance
smart contract. This function must accept a vote for or against a proposal. But it is possible that someone will wote not for the proposal he expected: this is possible to activate another proposal using logic from theactivateProposal
function while the voting transaction is not added into some block of the chain. This is very similar to front-running transaction: attacker can send transaction callingactivateProposal
function with higher gas price than was chosen by the voter for his transaction.Impact
Voter votes for the proposal that he don't expect instead of the proposal that is active on the moment of sending transaction.
Recommended Mitigation Steps
Add one more input parameter to the
vote
function:vote(bool for_, uint256 proposalId_)
. Then you can add an additional check to thevote
function that prevents such attack scenario:require(proposalId_ == activeProposal.proposalId)
.