Closed c4-bot-1 closed 7 months ago
Picodes marked the issue as duplicate of #620
Picodes changed the severity to 2 (Med Risk)
Picodes changed the severity to QA (Quality Assurance)
This previously downgraded issue has been upgraded by Picodes
Picodes marked the issue as satisfactory
Picodes marked the issue as not a duplicate
Picodes marked the issue as duplicate of #620
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/dao/Proposals.sol#L102
Vulnerability details
Impact
Since the
_possiblyCreateProposal
function checks the balloonName to ensure that there is only one proposal with the same name, this mechanism is fine in most cases. However, if theballotName
is not designed well, malicious users can prevent some proposals from being created through front-run.Specifically,
When the community wants to create a proposal of type
SET_CONTRACT
, the attacker callsproposeSetContractAddress
and adds the_confirm
string at the end of the parametercontractName
, such asaccessManager_confirm
, which can lead to DAO Unable to create confirmation proposal of typeCONFIRM_SET_CONTRACT
.When the community needs to update the website, the attacker calls
proposeWebsiteUpdate
and adds the_confirm
string at the end of the parameternewWebsiteURL
, for examplehttps://tech.salty.io_confirm
, then This can cause DAO to be unable to create a confirmation proposal of typeCONFIRM_SET_WEBSITE_URL
.When the community decides to Proposes sending a specified amount of SALT to a wallet or contract, the attacker calls
proposeSendSALT
and sets theamount
parameter to an unreasonable value, which will result in the inability to Create proposals that the community anticipates.Proof of Concept
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/dao/Proposals.sol#L102
Since
_possiblyCreateProposal
uses the balloonName to ensure that the proposal is unique, there is the possibility of a malicious user triggering a DoS through front-run.Adding the above test case in
src/dao/tests/DAO.t.sol
, Will cause DAO to be unable to create a normal confirmation proposalTools Used
vscode, foundry test
Recommended Mitigation Steps
Fully consider the design of
ballotName
and add more detailed information, such as the following codeAssessed type
DoS