ODGovernor may be affected by vulnerable OZ contracts version

[c4-submissions]

Lines of code

Affected contract: https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/gov/ODGovernor.sol#L1-L144

Vulnerability details

Impact

GovernorCompatibilityBravo may trim proposal calldata Governor proposal creation may be blocked by frontrunning

Proof of Concept

OpenZeppelin identified both issues and explained the impact and the problems that can arise. Here I attach the links to both problems, since OZ's explanation will be clearer: https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-93hq-5wgc-jc82 https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5h3x-9wvq-w4m2

Using a version where this issues are not solved will lead to all the problems listed in the above links. Regarding the specific scope of OD contest, if the governor proposal creation gets blocked by frontrunning, all the functions that are needed to be called by the governance won't be accesible. In Vault721.sol, there are a lot of functions that fit this requirements since they implement the modifier onlyGovernor: updateNftRenderer, updateContractURI, setSafeManager and setNftRenderer.

This would break the core functionality of the Vault721.sol, thus of the whole project.

Tools Used

Manual review

Recommended Mitigation Steps

Update the OZ contracts version, since these issues are fixed in more recent versions. (You can check it in the links I provided earlier).

Assessed type

Governance

[c4-pre-sort]

raymondfam marked the issue as low quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #17

[c4-judge]

MiloTruck marked the issue as unsatisfactory: Out of scope