search

code-423n4 / 2023-05-ajna-findings

2 stars 0 forks source link

Attacker can DoS create a extraordinary proposals #447

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L85 https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L92 https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L100

Vulnerability details

Impact

An attacker can prevent the creation of proposals in ExtraordinaryFunding.sol#proposeExtraordinary by front-running the proposal, which will give him the same hash as the correct user desired, and setting endBlock_ to the past, which will invalidate the proposal.

Proof of Concept

This is possible because:

  1. The hash of the proposal has no identifier of who creates it
File: ajna-grants\src\grants\base\ExtraordinaryFunding.sol

85:     function proposeExtraordinary(
86:         uint256 endBlock_,
87:         address[] memory targets_,
88:         uint256[] memory values_,
89:         bytes[] memory calldatas_,
90:         string memory description_) external override returns (uint256 proposalId_) {
91: 
92:         proposalId_ = _hashProposal(targets_, values_, calldatas_, keccak256(abi.encode(DESCRIPTION_PREFIX_HASH_EXTRAORDINARY, keccak256(bytes(description_))))); // Miss information about creator
  1. endBlock_ it is possible to put it in the past to make it invalid:

99: // check proposal length is within limits of 1 month maximum 100: if (block.number + MAX_EFM_PROPOSALLENGTH < endBlock) revert InvalidProposal(); 101: 102: uint128 totalTokensRequested = validateCallDatas(targets, values, calldatas); 103: 

3. Accordingly, we have the following situation:
    1. The correct user wants to create a proposal
    2. The attacker front-running this transaction and sends the same proposal, only setting `endBlock_` to the past
    3. The transaction of the correct user fails because it is not possible to create two proposal with the same hash
    4. A proposal created by an attacker, which is already known, will be invalid because of the past `endBlock_`
```javascript
File: ajna-grants\src\grants\base\ExtraordinaryFunding.sol

139:         if (proposal.startBlock > block.number || proposal.endBlock < block.number || proposal.executed) {
140:             revert ExtraordinaryFundingProposalInactive();
141:         }

The attacker for small funds (transaction fee) prohibits creating new proposals

Tools Used

Recommended Mitigation Steps

Assessed type

DoS

c4-sponsor commented 1 year ago

ith-harvey marked the issue as sponsor confirmed

ith-harvey commented 1 year ago

Valid bug but we are removing the EFM.

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #260