search

code-423n4 / 2023-05-maia-findings

20 stars 12 forks source link

Holders will not have enough time to delegate or cast their votes #843

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/main/src/governance/GovernorBravoDelegateMaia.sol#L18-L27

Vulnerability details

Impact

Note: The sponsor message on which networks project will be deployed.

Vote period/delay will not work correctly on L2s due to the use of block.number, which may not give holders enough time to delegate or cast before the voting delay or period ends.

Proof of Concept

    uint256 public constant MIN_VOTING_PERIOD = 80640; // About 2 weeks

    /// @notice The max setable voting period
    uint256 public constant MAX_VOTING_PERIOD = 161280; // About 4 weeks

    /// @notice The min setable voting delay
    uint256 public constant MIN_VOTING_DELAY = 40320; // About 1 weeks

    /// @notice The max setable voting delay
    uint256 public constant MAX_VOTING_DELAY = 80640; // About 2 weeks

Each of these values represent a specific period in ethereum blocks (.i.e 12s), but all of this values will not give the holders enough time when deploying on L2s due to .

Here is a simple comparison of block times across different networks:

Network Block time
Ethereum mainnet 12 s
Arbitrum 2 s
Optimism 2 s
Polygon 2 s
Binance 3 s
Metis 2 s
Fantom 1 s
Avalanche 3 s

Tools Used

Manual Review

Recommended Mitigation Steps

We recommend using block.timestamp instead of block.number.

Assessed type

Timing

c4-judge commented 1 year ago

trust1995 marked the issue as duplicate of #728

c4-judge commented 1 year ago

trust1995 marked the issue as satisfactory

0xRizwan commented 1 year ago

@trust1995 Ser,

This is a different issue and does not seems to be a duplicate of #728. It is recommending on the use of block.timestamp and does not point out block period issue.

Please have a look.

Thank you!

c4-judge commented 1 year ago

trust1995 marked the issue as not a duplicate

c4-judge commented 1 year ago

trust1995 marked the issue as primary issue

c4-judge commented 1 year ago

trust1995 marked the issue as duplicate of #417

trust1995 commented 1 year ago

This finding group contains two types of findings:

  1. Different chains have different block times
  2. ETH2 block time is different from assumed block time (15 seconds)

I believe these are similar enough to be looked at as same underlying issue (block time assumptions affect voting period).