Closed code423n4 closed 1 year ago
trust1995 changed the severity to QA (Quality Assurance)
trust1995 marked the issue as grade-c
This previously downgraded issue has been upgraded by trust1995
This previously downgraded issue has been upgraded by trust1995
trust1995 marked the issue as duplicate of #180
trust1995 marked the issue as satisfactory
This is not a duplicate of #180, which describes a race condition between minting bHermes and creating a proposal. This issue describes early governance stages of a protocol. In our scenario, this will never happen with bHermes and would require an error in migration to V2 to happen with Maia/vMaia.
While the mitigation is completely valid and works, having a MIN_TOTAL_SUPPLY
is equivalent and easier to visualize in my opinion. The reason behind this might being a low/QA, is because what we intend to do and that completely prevents this is only calling _initiate
after a certain amount of totalSupply exists. So might be argued that this can only happen due to api misuse by the owner, but adding the minimum value is still valid just to be safe.
In addition, there is the ability for the admin to veto proposals, so this further prevents anyone from using this to try and do a governance attack.
trust1995 marked the issue as not a duplicate
trust1995 changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/cfed0dfa3bebdac0993b1b42239b4944eb0b196c/src/governance/GovernorBravoDelegateMaia.sol#L87-L93
Vulnerability details
Impact
At the early stage of the deployed DAO, it is possible that the following
getProposalThresholdAmount()
andgetQuorumVotesAmount()
returns0
because the token supply is low.Proof of Concept
LINK TO CODE
Assume the effect when
getQuorumVotesAmount() = 0
:state
function is called, which can executeelse if (proposal.forVotes <= proposal.againstVotes || proposal.forVotes < getQuorumVotesAmount()) { return ProposalState.Defeated; }
.getQuorumVotesAmount()
is 0, theproposal.forVotes < getQuorumVotesAmount()
condition would always befalse
. Essentially, quorum votes have no effect at all for determining whether the proposal is defeated or succeeded when the token supply is low.Tools Used
Manual Review
Recommended Mitigation Steps
Make both functions return some sensible
MIN_VALUE
if they amount to0
.Assessed type
Math