Closed code423n4 closed 1 year ago
Since we're using a constant prefix hash here: https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L62 it would be unrealistic for someone to be able to generate the same proposalId necessary for this to occur
I agree with the previous comment
Picodes marked the issue as unsatisfactory: Overinflated severity
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/GrantFund.sol#L36-L42 https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/Funding.sol#L152-L159 https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/GrantFund.sol#L45-L51
Vulnerability details
Impact
Alice creates an extraordinary proposal to request 10 million AJNA tokens to pay for something important. Mallory does not like the proposal and creates a standard proposal with the same arguments. The front end, which calls state() to view the state of any type of proposal, now returns the state of Mallory's standard proposal instead of Alice's extraordinary proposal.
Proof of Concept
The
findMechanismOfProposal
function will shadow an existing extraordinary proposal if a standard proposal with the same proposal ID exists. That is, the function will report that a given proposal ID corresponds to a standard proposal, even though an extraordinary proposal with the same ID exists.https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/GrantFund.sol#L36-L42
Proposal IDs for both types of proposals are generated by hashing the proposal arguments, which are the same for both proposals
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/Funding.sol#L152-L159
The findMechanismOfProposal function is also called from the state function, which reports the state of a given proposal by ID.
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/GrantFund.sol#L45-L51
Depending on how the state view function is used, its use of the flawed findMechanismOfProposal function could cause problems in the front end or other smart contracts that integrate with the GrantFund contract.
Tools Used
Manual review
Recommended Mitigation Steps
Short term, redesign the findMechanismOfProposal function so that it does not shadow any proposal. For example, have the function return an array of two items that will indicate whether a standard and extraordinary proposal with that proposal ID exists.
Long term, consider all of the information that the front end and other integrating smart contracts might require to function correctly and design the corresponding view functions in the smart contracts to fulfill those requirements.
Assessed type
Other