Open code423n4 opened 12 months ago
0xSorryNotSorry marked the issue as primary issue
this is an interesting finding. only guardian can change guardian, however, guardian can only pause once and is limited in abilities to being able to fast track execution. and unpause. after a single malicious pause, the guardian would no longer be able to pause, and 30 days later, governance would reopen.
ElliotFriedman marked the issue as sponsor confirmed
alcueca marked the issue as satisfactory
Barely making it as Medium.
alcueca marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/Governance/TemporalGovernor.sol#L27 https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable.sol#L81-L86
Vulnerability details
Impact
guardian
is mentioned as an area of concern in the docs:guardian
is a roll that has the ability to pause and unpauseTemporalGovernor
. In code, it uses theowner
from OpenZeppelinOwnable
asguardian
. The issue is thatOwnable::transferOwnership
is not overridden. Onlyguardian
(owner
) can transfer the role.This can be a conflict of interest if there is a falling out between governance and the guardian. If the
guardian
doesn't want to abstain, governance only option would be to callrevokeGuardian
which setsowner
toaddress(0)
. This permanently removes the ability to pause the contract which can be undesirable.Proof of Concept
Simple test in
TemporalGovernorExec.t.sol
:Tools Used
Manual audit
Recommended Mitigation Steps
Consider overriding
transferOwnership
and either limit it to only governance (msg.sender == address(this)
) or bothguardian
and governance.Assessed type
Governance