Closed c4-bot-10 closed 5 months ago
Actions of Governor is trusted. QA
0xSorryNotSorry marked the issue as insufficient quality report
An instance of Governor's centralization risk ([M-01] Centralization risk for privileged functions) -> OOS
Trumpero marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/GuildGovernor.sol#L57-L71 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/GuildVetoGovernor.sol#L53-L64
Vulnerability details
Impact
In both the GuildGovernor and GuildVetoGovernor contract the quorum can be changed between the time of a proposal creation time and its execution which may potentially impact the acceptance or refusal of certain proposals
Proof of Concept
The ability to change the
quorum
value between the creation and execution of proposals can lead to the following issues:Proposal Integrity: The dynamic nature of the quorum allows for manipulation of the voting requirements, potentially impacting the integrity of the proposal acceptance process.
Unpredictable Governance: The lack of a fixed quorum for each block number introduces uncertainty in the governance process, making it difficult for participants to anticipate the voting requirements at the time of proposal execution.
The vulnerability is evident in the following code snippet:
The absence of a specific quorum value for each block number allows the
_quorum
value to be modified without restrictions, potentially leading to governance inconsistencies.Tools Used
Manual review
Recommended Mitigation Steps
To address this vulnerability and enhance the security of the governance contract, it is recommended to implement a fixed quorum for each block number. This can be achieved by maintaining a mapping of block numbers to their corresponding quorum values. The
quorum
function should then retrieve the appropriate quorum value based on the block number provided.Example:
This modification ensures that the quorum is fixed for each block number, providing a more secure and predictable governance process.
The governance contract allows the dynamic modification of the
quorum
value between the creation and execution of proposals. This flexibility in adjusting the quorum may introduce a security vulnerability, potentially impacting the acceptance or refusal of proposals. It is recommended to establish a fixed quorum for each block number to enhance the security and predictability of the governance process.Assessed type
Governance