Different markets can prevent the execution of proposals in other markets, resulting in confusion in the system's proposal

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/GuildVetoGovernor.sol#L315-L343 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/test/proposals/gips/GIP_0.sol#L441-L448 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/test/proposals/gips/GIP_0.sol#L210-L221

Vulnerability details

Impact

Different markets can prevent the execution of proposals in other markets, resulting in confusion in the system's proposal

Proof of Concept

In The Credit Guild system, a market is a 'gauge type' at the smart-contract level.

Each market has an independent GuildVetoGovernor contract and has the authority of TIMELOCK_CANCELLER. At the same time, the timelock variable of the GuildVetoGovernor contract points to the unique daoTimelock contract. Therefore, in the GuildVetoGovernor contract of any market, you can call the function createVeto(bytes32 timelockId) to object to other markets.

We believe this is a serious governance vulnerability.

Tools Used

Manual audit

Recommended Mitigation Steps

Segregate the execution authority of GuildVetoGovernor contracts in different markets

Assessed type

Governance

[0xSorryNotSorry]

no evidence

[c4-pre-sort]

0xSorryNotSorry marked the issue as insufficient quality report

[c4-judge]

Trumpero marked the issue as unsatisfactory: Insufficient proof