Closed c4-bot-10 closed 5 months ago
0xSorryNotSorry marked the issue as sufficient quality report
0xSorryNotSorry marked the issue as duplicate of #1125
Trumpero changed the severity to QA (Quality Assurance)
Trumpero marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOnboarding.sol#L181
Vulnerability details
Impact
The
LendingTermOnboarding
contract is vulnerable to a Denial of Service (DoS) attack. This vulnerability arises from the ability for an attacker to repeatedly create and cancel proposals every time a term is created and after theMIN_DELAY_BETWEEN_PROPOSALS
period.This vulnerability is related to https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5h3x-9wvq-w4m2
The vulnerability referenced above was fixed in v4.9.1 of OZ's contracts by introducing opt-in frontrunning protection, but that protection isn't available in LendingTermOnboarding since the contract disallows custom proposals and enforces a deterministic description in
proposeOnboard()
based on the term address.An attacker can exploit this vulnerability by observing when someone creates a term, then calling
proposeOnboard()
themselves. They can then cancel the proposal using thecancel()
method provided by theGovernor
contract, from whichLendingTermOnboarding
inherits. By repeating this action everyMIN_DELAY_BETWEEN_PROPOSALS
, the attacker can effectively prevent the proposing of new terms.https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOnboarding.sol#L181 https://github.com/OpenZeppelin/openzeppelin-contracts/blob/fd81a96f01cc42ef1c9a5399364968d0e07e9e90/contracts/governance/Governor.sol#L348
Proof of Concept
Consider the following scenario:
createTerm()
function.proposeOnboard()
with the term Alice just created before she can do so herselfcancel()
method.MIN_DELAY_BETWEEN_PROPOSALS
, effectively preventing Alice and other legitimate users from proposing new terms.Tools Used
Manual review
Recommended Mitigation Steps
Allow users to provide a custom
description
string to attach to the one generated ingetOnboardProposeArgs()
. This way, they would also be able to benefit from the frontrunning protection implemented in OZ's Governor.Assessed type
Governance