search

code-423n4 / 2024-01-salty-findings

11 stars 6 forks source link

Invariant violated, _userHasActiveProposal[msg.sender] = false while msg.sender has an active proposal #880

Closed c4-bot-2 closed 8 months ago

c4-bot-2 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/main/src/dao/Proposals.sol#L145

Vulnerability details

Proof of Concept

Steps to generate the issue

The issue arises because the dao is allowed to create multiple proposals, while a user cannot, in the markBallotAsFinalized function implementation, only the case of a user creating only one proposal and deleting it is considered, while the case that the dao might have more than one proposal is not considered. Proposals.sol #145-147


    function markBallotAsFinalized( uint256 ballotID ) external nonReentrant
        {
            ...
145     // Indicate that the user who posted the proposal no longer has an active proposal
146     address userThatPostedBallot = _usersThatProposedBallots[ballotID];
147     _userHasActiveProposal[userThatPostedBallot] = false;
            ...
        }

In the following discussion with the sponsor, he acknowledged the issue, by confirming that daos are allowed to create more than one proposal, and from the code, we can see clearly that the case is not handled

chat

Tools Used

Manual Review, vs code

Recommended Mitigation Steps

Have separate logic proposal deletion in case of a dao is the one created the proposal, check if the dao has more proposal and if none then remove.

Assessed type

Governance

c4-judge commented 9 months ago

Picodes marked the issue as primary issue

c4-sponsor commented 8 months ago

othernet-global (sponsor) disputed

othernet-global commented 8 months ago

_userHasActiveProposal is not applicable to the DAO and the behavior is acceptable.

c4-judge commented 8 months ago

Picodes marked the issue as unsatisfactory: Invalid