Frontrunning Exposure in `GovernorCompatibilityBravo` Integration

[c4-submissions]

Lines of code

https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/gov/ODGovernor.sol#L90

Vulnerability details

Forenote

There's an appropriately invalidated finding identified by automated bots during the bot-race regarding the "Vulnerable versions of packages being used": bot-report.md#[L‑1]. The bot has classified it as low severity, but I argue that its impact, especially in the context of the ODGovernor contract, is moderate. The automated finding doesn't differentiate or validate if these vulnerable packages are actively in use. My analysis specifically targets the vulnerability in the GovernorCompatibilityBravo contract and its implications on the ODGovernor contract.

Impact

• The governance process can be tampered with by malicious entities, potentially halting crucial updates or changes.
• The integrity and reliability of the governance system are at stake, which can erode trust within the community.

Proof of Concept

1. The ODGovernor contract inherits its functionalities from the OpenZeppelin's GovernorCompatibilityBravo contract.
2. A known vulnerability in the GovernorCompatibilityBravo contract allows for frontrunning attacks.
3. An attacker can craft and send a proposal similar to an original one before it gets processed.
4. The attacker can subsequently cancel their proposal, effectively blocking the genuine proposal from being recognized and acted upon.

Tools Used

• Static analysis of the ODGovernor.sol contract.
• OpenZeppelin GitHub Advisory and CoinSpect Analysis as primary references.

Recommended Mitigation Steps

1. Upgrade to the patched OpenZeppelin version "4.9.1" that addresses this specific vulnerability.
2. Alternative: Introduce a mechanism to append the proposer's address or a unique identifier to the proposal description. This ensures that each proposal ID generation remains unique and can't be blocked by malicious frontrunning attempts.

References

• OpenZeppelin GitHub Advisory
• CoinSpect Analysis

Assessed type

Governance

[c4-pre-sort]

raymondfam marked the issue as low quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #17

[c4-judge]

MiloTruck marked the issue as unsatisfactory: Out of scope