Closed c4-bot-2 closed 8 months ago
All 500 pieces would just be lying on the ground inconsequential to voting.
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #118
MarioPoneder marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/CultureIndex.sol#L332-L334 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/CultureIndex.sol#L332-L334 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/CultureIndex.sol#L307-L324 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/CultureIndex.sol#L307-L324
Vulnerability details
Impact
In
CultureIndex.sol
, we can see: #L332-L334The external
vote
function is protected by thenonReentrant
modifier from OpenZeppelin. This prevents reentrant calls to lock up state.Additionally, each individual vote call in
_vote
:hasVoted
mapping for voterSo every vote call does minimal work.
This leads to a couple natural mitigations against spam:
However, there is no explicit rate limiting logic checking for example
msg.sender
vote frequency/totals over past blocks.nonReentrant
helps guard stateProof of Concept
The CultureIndex.sol contract has no limits on the number of votes that can be submitted. This allows an attacker to spam votes and make voting prohibitively expensive.
We can see there is no any explicit rate limiting logic around voting: CultureIndex.sol#L332-L334
CultureIndex.sol#L307-L324
This remains a vulnerability that could be exploited by a determined attacker to spam votes and block the contract.
The
_vote
function processes each vote without checking for previous votes by the sender or total votes per block. This allows unlimited votes to be submitted.An attacker could spam votes from new addresses, costing ~50k gas each. After 100 votes, voting would cost ~5 ETH. After 500 votes, the cost would exceed 50 ETH making voting unusable.
cultureIndex.vote(0)
from each addressThe
_vote
function on lines 307-324 processes votes without limit:Tools Used
Vs
Recommended Mitigation Steps
Implement a
require
check on total votes per block as well as limits based on past activity per address.Assessed type
Governance