Closed c4-bot-10 closed 7 months ago
Picodes marked the issue as duplicate of #620
Picodes marked the issue as satisfactory
Picodes changed the severity to 2 (Med Risk)
Picodes changed the severity to QA (Quality Assurance)
This previously downgraded issue has been upgraded by Picodes
Hey @Picodes,
thanks for reviewing the submission. I would like to add, that this is a duplicate of #980. Both exploit the exactly same issue of appending "setContract:pricefeed1 + _confirm" to the contract name and block other proposals that way.
confirm_ is now prepended to automatic confirmation ballots form setWebsiteURL and setContract proposals.
https://github.com/othernet-global/salty-io/commit/5aa1bc1ddadd67cd875de932633948af25ff8957
Picodes marked the issue as not a duplicate
Picodes marked the issue as duplicate of #620
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/dao/Proposals.sol#L122
Vulnerability details
Impact
The creation of a confirmation proposal can be blocked because of a front-running attack. The setting of the contract address and updating of the website can be blocked forever.
Attack scenario:
ballotName = setContract:priceFeed1
wherecontractName = priceFeed1
ballotMinimumEndTime
is passed.DAO
contract to try to call thefinalizeBallot
function.ballotName = setContract:priceFeed1_confirm
wherecontractName = priceFeed1_confirm
. Here,openBallotsByName[ballotName]
is equal to the newballotID
.createConfirmationProposal
function is reached where the_possiblyCreateProposal
function is called. The require statement foropenBallotsByName[ballotName] == 0
will not be passed.The
ballotName
here would be equal tosetContract:priceFeed1_confirm
because the name of confirmation proposal is equal tostring.concat(ballot.ballotName, "_confirm")
As a result, the transaction will revert and can not create a confirmation proposal.
The malicious user can do that endlessly and block the creation of confirmation proposals forever. The only requirement is to have enough staked
XSalt
for creating a normal proposal.Tools Used
Manual Review
Recommended Mitigation Steps
Reserve
openBallotsByName[ballotName] == 1
, whereballotName = string.concat(ballot.ballotName, "_confirm")
, during the creation of the proposal.Assessed type
DoS