c4-submissions commented 1 year ago

Lines of code

https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/gov/ODGovernor.sol#L12

Vulnerability details

Impact

The ODGovernor inherits a vulnerable version (v4.8.0) of OpenZeppelin GovernorCompatibilityBravo contrcat, the vulnerability is regarding trimming proposal calldata as there's no check if the calldatas array equals the signatures array when a proposal is created:

function propose(
      address[] memory targets,
      uint256[] memory values,
      bytes[] memory calldatas,
      string memory description
  ) public virtual override(IGovernor, Governor) returns (uint256) {
      _storeProposal(_msgSender(), targets, values, new string[](calldatas.length), calldatas, description);
      return super.propose(targets, values, calldatas, description);
  }

where:

  function _storeProposal(
          address proposer,
          address[] memory targets,
          uint256[] memory values,
          string[] memory signatures,
          bytes[] memory calldatas,
          string memory description
      ) private {
          bytes32 descriptionHash = keccak256(bytes(description));
          uint256 proposalId = hashProposal(targets, values, _encodeCalldata(signatures, calldatas), descriptionHash);

          ProposalDetails storage details = _proposalDetails[proposalId];
          if (details.descriptionHash == bytes32(0)) {
              details.proposer = proposer;
              details.targets = targets;
              details.values = values;
              details.signatures = signatures;
              details.calldatas = calldatas;
              details.descriptionHash = descriptionHash;
          }
      }

This causes the additional elements of the calldatas array to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata.
This vulnerability is patched in v4.8.3, read more about it here.

Proof of Concept

ODGovernor contract

import {GovernorCompatibilityBravo} from '@openzeppelin/governance/compatibility/GovernorCompatibilityBravo.sol';

GovernorCompatibilityBravo.propose function that is currently inherited from the vulnerable GovernorCompatibilityBravo contract

  function propose(
        address[] memory targets,
        uint256[] memory values,
        bytes[] memory calldatas,
        string memory description
    ) public virtual override(IGovernor, Governor) returns (uint256) {
        _storeProposal(_msgSender(), targets, values, new string[](calldatas.length), calldatas, description);
        return super.propose(targets, values, calldatas, description);
    }

Tools Used

Manual Testing.

Recommended Mitigation Steps

Update the OpenZeppelin version of contracts to a version >=4.8.3

Assessed type

Library

c4-pre-sort commented 1 year ago

raymondfam marked the issue as low quality report

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #17

c4-judge commented 1 year ago

MiloTruck marked the issue as unsatisfactory: Out of scope

code-423n4 / 2023-10-opendollar-findings

The protocol uses a vulnerable `GovernorCompatibilityBravo` version #379