c4-bot-3 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/main/src/dao/DAO.sol#L278-L291

Vulnerability details

Impact

The owner of the unclosed proposal can not create new proposal due to the restriction that one user can only has one active proposal
Other eligible user might not be able to create new proposal due to name conflict

Proof of Concept

An eligible user can create a proposal via different functions, the ballot of which can end as early as ballotMinimumEndTime.
Anyone can vote by calling Proposals#castVote() as far as they have voting power. Anyone can finalize the vote on a specific ballot by calling DAO#finalizeBallot() as soon as the ballot can be finalized.

  function canFinalizeBallot( uint256 ballotID ) external view returns (bool)
  {
    Ballot memory ballot = ballots[ballotID];
    if ( ! ballot.ballotIsLive )
      return false;

    // Check that the minimum duration has passed
    if (block.timestamp < ballot.ballotMinimumEndTime )
      return false;

    // Check that the required quorum has been reached
@>  if ( totalVotesCastForBallot(ballotID) < requiredQuorumForBallotType( ballot.ballotType ))
      return false;

    return true;
  }

As we can see, a ballot can not be finalized if the voting quorum is not reached. Nevertheless, it is common for a ballot to be unable to earn a sufficient number of votes. If such a situation arises, the protocol should offer a method to close the ballot. But there is no such a way to deal with this situation. The only way to close it is to hopefully gather enough votes to meet the quorum. The proposal function could be blocked before it is closed:

Since one user can only have one active proposal at the same moment, they can not create any new proposal at the moment
Due to ballot name conflict, other eligible may not able to create new proposal which own the same ballot with unclosed proposal
- E.g. The protocol enforces the restriction of one sendSALT ballot at a time. No any sendSALT ballot can be created as far as the old one is pending.

Tools Used

Manual review

Recommended Mitigation Steps

The proposer should be able to cancel their proposal if ballotMinimumEndTime is not ended.
Anyone can cancel the proposal/ballot without sufficient votes when the time is over ballotMinimumEndTime.

Assessed type

Other

c4-judge commented 9 months ago

Picodes marked the issue as duplicate of #362

c4-judge commented 8 months ago

Picodes marked the issue as satisfactory

code-423n4 / 2024-01-salty-findings

a proposal can not be closed if the voting quorum is not reached #670