Open c4-bot-9 opened 7 months ago
Picodes marked the issue as duplicate of #746
Picodes marked the issue as satisfactory
Picodes marked the issue as selected for report
othernet-global (sponsor) acknowledged
othernet-global (sponsor) confirmed
ballotMaximumDuration added. There is now a default 30 day period after which ballots can be removed by any user.
https://github.com/othernet-global/salty-io/commit/758349850a994c305a0ab9a151d00e738a5a45a0
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/dao/Proposals.sol#L259-L293 https://github.com/code-423n4/2024-01-salty/blob/main/src/dao/Proposals.sol#L385-L400
Vulnerability details
Impact
Reuse of SALT that has already been used for voting could allow a malicious proposal to pass and compromise the protocol.
Details
castVote is a function that votes as much SALT as is being staked on the proposal.
Calling it again on a proposal that has already been voted on will revert the existing vote.
Therefore, the same account cannot vote multiple times on the same proposal. However, it is possible to re-vote by unstaking SALT and transferring it to another account.
The reason this is a viable attack is because the conditions under which a proposal can be finalized are unusual.
In a typical voting system, there is a period of time during which a proposal can be voted on, and if it does not meet the quorum, it is dropped, and if it does, the ratio of upvotes to downvotes determines whether it should be executed.
However, Salty's voting system allows the voting period to be infinitely long if the quorum is not met. In other words, if the voting lasts longer than the period required to unstake SALT, it can be unstaked and transferred to another account to vote again.
The scenario for the attack is as follows
Proof of Concept
Recommended Mitigation Steps
A short-term solution is to use ballotMaximumEndTime to prevent votes from lasting too long.
A more fundamental solution would be to take a snapshot of the staked SALT and make it available for voting, like ERC20Votes, to prevent re-voting after a transfer.
Assessed type
Governance