Open code423n4 opened 1 year ago
__GovernorSettings_init()
is called during initializing which calls _setVotingPeriod(initialVotingPeriod)
.
Hence the voting period is set first and then the weight later.
0xSorryNotSorry marked the issue as low quality report
0xean marked the issue as unsatisfactory: Invalid
Hi @0xean, could you clarify on why this finding is invalid?
My argument here is that setFullWeightDuration()
contains a check that ensures fullWeightDuration
isn't larger than votingPeriod
, but setVotingPeriod()
is missing a check to make sure that votingPeriod
is larger than fullWeightDuration
.
This could potentially create a scenario where the Arbitrum DAO decreases votingPeriod
below fullWeightDuration
using setVotingPeriod()
(through the relay()
function), which would DOS elections.
Thanks!
Thanks for clarifying, still not a M severity as its input sanitization and therefore QA.
0xean changed the severity to QA (Quality Assurance)
0xean marked the issue as grade-a
Lines of code
https://github.com/ArbitrumFoundation/governance/blob/c18de53820c505fc459f766c1b224810eaeaabc5/src/security-council-mgmt/governors/modules/SecurityCouncilMemberElectionGovernorCountingUpgradeable.sol#L77-L84
Vulnerability details
Bug Description
In
SecurityCouncilMemberElectionGovernorCountingUpgradeable
,setFullWeightDuration()
has a check to ensure thatfullWeightDuration
is more than the voting period:SecurityCouncilMemberElectionGovernorCountingUpgradeable.sol#L77-L84
However, the
setVotingPeriod()
function in Openzeppelin'sGovernorSettingsUpgradeable
module doesn't ensure that_votingPeriod
is abovefullWeightDuration
. This means that governance could accidentally causefullWeightDuration
to be greater than_votingPeriod
by callingsetVotingPeriod()
to decrease the voting period.Should this occur,
votesToWeight()
will revert due to an arithmetic underflow when performing the following calculation:SecurityCouncilMemberElectionGovernorCountingUpgradeable.sol#L241-L249
Where:
endBlock
is equal tostartBlock + _votingPeriod
.fullWeightVotingDeadline_
is equal tostartBlock + fullWeightDuration
.Since
votesToWeight()
is used to determine the weightage of votes in_countVote()
, all voting functions (eg.castVote()
) will always revert oncefullWeightVotingDeadline_
has passed, causing all voting to be DOSed.Impact
Governance could accidentally DOS voting for member elections by reducing the voting period below
fullWeightDuration
usingsetVotingPeriod()
.This could occur if
fullWeightDuration
is initally equal tovotingPeriod
(votes have 100% weightage during the entire voting period), and governance decides to reduce the voting period to a shorter duration.Given that
setFullWeightDuration()
is also called by governance, and has to be scheduled through timelocks, it might not be possible for governance to callsetFullWeightDuration()
to reducefullWeightDuration
in time after realizing the DOS has occurred.Recommended Mitigation
In the
SecurityCouncilMemberElectionGovernor
contract, consider overriding thesetVotingPeriod()
function to ensure that the new voting period is always greater thanfullWeightDuration
. For example:Assessed type
Access Control