Closed c4-bot-2 closed 5 months ago
0xSorryNotSorry marked the issue as sufficient quality report
0xSorryNotSorry marked the issue as duplicate of #1125
Trumpero changed the severity to QA (Quality Assurance)
Trumpero marked the issue as grade-b
Trumpero marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/LendingTermOnboarding.sol#L230-L235
Vulnerability details
Impact
Any proposal on LendingTermOnboarding.sol can be maliciously front-run and canceled by the attacker, such that the unfavorable proposal will not be voted on. And the attack can be done repetitively.
Proof of Concept
In src/governance/LendingTermOnboarding.sol, there are two vulnerabilities. (1)
createTerm()
doesn’t associate or store the creator of a term in any ways, each created term is essentially anonymously created; (2)proposeOnboard()
will not create the proposal description with the creator or proposer address, which voids open zeppelin’s_isValidDescriptionForProposer()
front-run protection;The two vulnerabilities in combination allows an attacker who views the proposal / term to be unfavorable to front run
proposeOnboard()
and cancel the proposal, such that the unfavorable proposal will not be voted on.(https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/LendingTermOnboarding.sol#L154-L163)
(https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/LendingTermOnboarding.sol#L203-L208)
(https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/LendingTermOnboarding.sol#L230-L235)
POC: Step1 : An attacker front run creator
proposeOnboard()
and propose the unfavorable proposal themselves.The transaction will succeed since
createTerm()
andproposeOnboard()
are anonymous to the proposer. And_isValidDescriptionForProposer()
is voided in this case.Step2: After transaction succeeds, the attacker will simply cancel the proposal. And now no one can propose until 7 days later. After MIN_DELAY passed, the attacker can perform the same attack if anyone attempts to propose the term or any term.
Tools Used
Manual Review
Recommended Mitigation Steps
Recommendations: (1) Considering in src/governance/LendingTermOnboarding.sol, in
createTerm()
addmsg.sender
(term proposer) to created lending term contract. Allow view queries to the term proposer address;(2) In
proposeOnboard()
, call the lending term contract for the proposer address to be added to proposaldescription
in the format of#proposer=0x
This will enable front run protection in Governor.solAssessed type
Other