Closed code423n4 closed 1 year ago
* @dev `verifyVM` serves to validate an arbitrary vm against a valid Guardian set
* - it aims to make sure the VM is for a known guardianSet
* - it aims to ensure the guardianSet is not expired
* - it aims to ensure the VM has reached quorum
* - it aims to verify the signatures provided against the guardianSet
*/
As per the Wormhole documentation for parseAndVerifyVM
function above, the proposal will not pass to be queued due to not being reached to quorum by the quardians and it will not pass the require statement below;
// Ensure VAA parsing verification succeeded.
require(valid, reason);
Invalid assumption.
0xSorryNotSorry marked the issue as low quality report
On Timelocks, the delay is required on execution, not on queuing AND execution.
Think about it, if you require a delay on queuing, when does the delay time start counting?
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L225-L231 https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Governance/TemporalGovernor.sol#L295-L342
Vulnerability details
Impact
in the
_queueProposal
function there is no check for if the requested time is passed to allow queue the proposal. in this case any proposal after creating can be added to the queue list.Proof of Concept
the
TemporalGovernor.sol
contract have a variable that is used to return the amount of time a proposal need to wait before going into the process(execute or queue):but this variable is not used to check if the time is passed to process a proposal in
queue
function:in this case every proposal that is created can be set to the queue list by users (the function is PERMISSIONLESS) before the requested time has passed or not:
Tools Used
manual review
Recommended Mitigation Steps
recommend to add check if the block.timeStamp is more than or equal to the
proposalDelay
Assessed type
Governance