Closed c4-bot-2 closed 4 months ago
Picodes marked the issue as primary issue
othernet-global (sponsor) acknowledged
This would be a configuration mistake by the admin or the DAO so falls within QA
Picodes changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/dao/Proposals.sol#L233 https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/dao/Proposals.sol#L224
Vulnerability details
Impact
This can lead to false negatives, e.g same country can be included and excluded at the same time depending on the alphabet case used during the proposal creation. This will break the functionality of the protocol.
Vulnerability Details
This vulnerability stems from the check used to validated the country a proposal is being created for when
Proposals.proposeCountryInclusion(...)
andProposals.proposeCountryExclusion(...)
are called. The developer assumes that checking the byte length of theISO 3166 Alpha-2 Code
is sufficient to ensure no other character is entered as shown below:require( bytes(country).length == 2, "Country must be an ISO 3166 Alpha-2 Code" );
However, as shown in the coded POC below, different case combinations of country
ISO 3166 Alpha-2 Code
will pass this check. Leading to situations like:Pakistan - which can be PK, pK, pk, Pk will all pass this test because they all resolve to 2 bytes in length
If the proposal was made for pk to be excluded, then
DAO.countryIsExcluded(pk)
will betrue
whileDAO.countryIsExcluded(PK)
will befalse
meaning one country can be bothincluded
andexcluded
at the same time which breaks the protocols functionality.Coded POC
Add the following test case to the
DAO.t.sol
file and runCOVERAGE="yes" NETWORK="sep" forge test --mt testExcludeCountryApproved -vv --rpc-url https://rpc.ankr.com/eth_sepolia
I also added the bytes output of other combinations to make this clearer. You can as well run the test for other country code combinations.
Result of logs:
SUGGESTION
The only solution I could suggest at this time is:
on the frontend of the protocol, implement conversion of the user input to upper case OR attempt converting from user entered case to UPPER case in all instances.
Assessed type
Invalid Validation