For the Governance.sol contract, the functions activateProposal() and executeProposal() can be called by anyone.
Proof of Concept
An malicious user could monitor the protocal DAO and activate or execute a proposal in a time not intended by the proposal submitter, since any address can call activateProposal() or executeProposal() and no input address validation is implemented on these functions.
Ensure activateProposal() and executeProposal() are being called by the proposal submitter. Alternatively, if the idea is to open the execution of a proposal by other parties, ensure it's getting called by trusted contract addresses or trusted EOAs.
activateProposal() can only be called by the original submitter, it is expected for anyone to execute the proposal since the only security check is governance consensus
Lines of code
https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Governance.sol#L205 https://github.com/code-423n4/2022-08-olympus/blob/main/src/policies/Governance.sol#L265
Vulnerability details
Impact
For the
Governance.sol
contract, the functionsactivateProposal()
andexecuteProposal()
can be called by anyone.Proof of Concept
An malicious user could monitor the protocal DAO and activate or execute a proposal in a time not intended by the proposal submitter, since any address can call
activateProposal()
orexecuteProposal()
and no input address validation is implemented on these functions.Tools Used
Manual review
Recommened Mitigation Steps
Ensure
activateProposal()
andexecuteProposal()
are being called by the proposal submitter. Alternatively, if the idea is to open the execution of a proposal by other parties, ensure it's getting called by trusted contract addresses or trusted EOAs.