search

code-423n4 / 2023-12-autonolas-findings

3 stars 3 forks source link

Ensuring targets, values, and calldatas arrays are of equal length in the GovernorOLAS contract #9

Closed c4-bot-3 closed 8 months ago

c4-bot-3 commented 9 months ago

Lines of code

https://github.com/code-423n4/2023-12-autonolas/blob/main/governance/contracts/GovernorOLAS.sol#L16 https://github.com/code-423n4/2023-12-autonolas/blob/main/governance/contracts/GovernorOLAS.sol#L68 https://github.com/code-423n4/2023-12-autonolas/blob/main/governance/contracts/GovernorOLAS.sol#L85

Vulnerability details

Impact

Consider these enhancements provide additional safeguardsin the GovernorOLAS contract against invalid proposals, unauthorized executions, and proposal spamming.

  1. Ensuring targets, values, and calldatas arrays are of equal length prevents mismatched execution parameters
  2. Ensures that only proposals that have been successfully voted on (meeting necessary quorum and approval) can be executed
  3. Prevents attempts to cancel proposals that are already finalized

Proof of Concept

The specific changes to the propose, _execute, and _cancel functions in the GovernorOLAS contract to enhance security and ensure the integrity of the governance process. Here's a breakdown of each change and the rationale behind them:

Changes to the propose Function

  1. Input Validation Added Checks: Ensuring the targets, values, calldatas, and description parameters are valid. Rationale: This prevents malformed proposals which could potentially disrupt the governance process. Specifically: Ensuring targets, values, and calldatas arrays are of equal length prevents mismatched execution parameters. Checking that the description is not empty ensures every proposal is adequately described for voters to make informed decisions.

Changes to the _execute Function

  1. Proposal State Validation Added Check: Verifying that the proposal is in a 'Succeeded' state before execution. Rationale: This ensures that only proposals that have been successfully voted on (meeting necessary quorum and approval) can be executed, maintaining the integrity of the governance process and preventing premature or unauthorized execution of proposals.

Changes to the _cancel Function

  1. Proposal State Validation Added Check: Confirming that the proposal is neither already executed nor canceled before allowing cancellation. Rationale: This prevents attempts to cancel proposals that are already finalized, either by execution or previous cancellation, thus upholding the finality of decided governance actions.

Mitigation of Proposal Spamming Set Proposal Threshold: Ensuring the proposalThreshold is set appropriately in the constructor. Rationale: A properly set threshold prevents spamming of proposals by requiring proposers to have a significant amount of governance tokens. This acts as a deterrent against frivolous or malicious proposals, ensuring only serious proposals are put forth.

Conclusion These changes collectively serve to:

  1. Enhance the integrity and reliability of the governance process.
  2. Protect against governance attacks such as proposal spamming.
  3. Ensure that actions taken (execution or cancellation of proposals) are legitimate and reflect the community's consensus.

Tools Used

Recommended Mitigation Steps

To implement and add the suggested security checks to the propose, _execute, and _cancel functions in your GovernorOLAS contract, let's go through each function and apply the necessary modifications:

  1. propose Function Input Validation We need to validate the inputs to ensure they meet certain criteria. This includes checking the length of the arrays to make sure they are aligned and validating the description.

function propose( address[] memory targets, uint256[] memory values, bytes[] memory calldatas, string memory description ) public override(IGovernor, Governor, GovernorCompatibilityBravo) returns (uint256) { require(targets.length == values.length, "Mismatched inputs"); require(targets.length == calldatas.length, "Mismatched inputs"); require(bytes(description).length > 0, "Description is empty");

// Further validations can be added based on your requirements

return super.propose(targets, values, calldatas, description);

}

  1. _execute Function Proposal State Validation Before executing a proposal, we should ensure it's in a valid state. This is typically handled by the underlying Governor contract, but you can add additional checks.

function _execute( uint256 proposalId, address[] memory targets, uint256[] memory values, bytes[] memory calldatas, bytes32 descriptionHash ) internal override(Governor, GovernorTimelockControl) { require(state(proposalId) == ProposalState.Succeeded, "Proposal must be succeeded");

super._execute(proposalId, targets, values, calldatas, descriptionHash);

}

  1. _cancel Function Proposal State Validation Ensure the proposal is in a state that allows cancellation.

function _cancel( address[] memory targets, uint256[] memory values, bytes[] memory calldatas, bytes32 descriptionHash ) internal override(Governor, GovernorTimelockControl) returns (uint256) { uint256 proposalId = _getProposalId(targets, values, calldatas, descriptionHash); require( state(proposalId) != ProposalState.Executed && state(proposalId) != ProposalState.Canceled, "Proposal cannot be canceled" );

return super._cancel(targets, values, calldatas, descriptionHash);

}

  1. Proposal Spamming Mitigation Proposal Threshold Ensure that the proposalThreshold is set to a reasonable value to prevent proposal spamming. This is typically done in the GovernorSettings constructor, but you should review and adjust it as per your governance model.

constructor( // ... other parameters ... uint256 initialProposalThreshold // ... other parameters ... ) // ... other initializations ... GovernorSettings(initialVotingDelay, initialVotingPeriod, initialProposalThreshold) // ... other initializations ... { // Ensure the initial proposal threshold is reasonable }

By implementing these security measures, your governance contract becomes more robust, fair, and resistant to potential exploits or misuse.

Assessed type

Access Control

c4-pre-sort commented 8 months ago

alex-ppg marked the issue as insufficient quality report

c4-judge commented 8 months ago

dmvt marked the issue as unsatisfactory: Insufficient quality