c4-pre-sort
commented
1 year ago raymondfam marked the issue as low quality report
Closed c4-submissions closed 1 year ago
c4-pre-sort
commented
1 year ago raymondfam marked the issue as low quality report
c4-pre-sort
commented
1 year ago raymondfam marked the issue as duplicate of #17
c4-judge
commented
1 year ago MiloTruck marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/open-dollar/od-contracts/blob/67e5917e7dc0c16324aff3fde0298cd218a15152/src/contracts/gov/ODGovernor.sol#L20
Vulnerability details
Impact
The ODGovernor contract, may incorrectly execute submitted proposals.
The proposal creation entrypoint (propose) in GovernorCompatibilityBravo allows the creation of proposals with a signatures array shorter than the calldatas array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The ProposalCreated event correctly represents what will eventually execute, but the proposal parameters as queried through getActions respect the original intended calldata.
This particular issues affects GovernorCompatibilityBravo that ODGovernor inherits from. This impacts the GovernorCompatibilityBravo contract since OZ v4.3.0 and was fixed in v4.8.3. As Open Dollar uses OZ v4.8.2 it is affected by this issue.
Proof of Concept
Corresponding OZ Security Advisory available here.
Tools Used
Manual review
Recommended Mitigation Steps
Update Open Zeppelin dependency to the latest non vulnerable version such as v4.9.3.
Assessed type
Governance