The creation of proposals can be front-run with another proposal bearing the same name, causing the previous transaction to fail.
Proof of Concept
// Make sure that a proposal of the same name is not already open for the ballot
require( openBallotsByName[ballotName] == 0, "Cannot create a proposal similar to a ballot that is still open" );
require( openBallotsByName[ string.concat(ballotName, "_confirm")] == 0, "Cannot create a proposal for a ballot with a secondary confirmation" );
Tools Used
Manual review.
Recommended Mitigation Steps
Each proposal should have a nonce attached to the name to differentiate them even with the same name.
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/dao/Proposals.sol#L103
Vulnerability details
Impact
The creation of proposals can be front-run with another proposal bearing the same name, causing the previous transaction to fail.
Proof of Concept
Tools Used
Manual review.
Recommended Mitigation Steps
Each proposal should have a nonce attached to the name to differentiate them even with the same name.
Assessed type
DoS