Open c4-bot-2 opened 5 months ago
Picodes marked the issue as primary issue
othernet-global marked the issue as disagree with severity
othernet-global (sponsor) confirmed
Make proposals require a percent of the staking SALT which is set by the DAO. Each user can only make one proposal at a time. Additionally, the default unstaking period for xSALT is 52 weeks and xSALT is non-transferrable.
Picodes marked the issue as satisfactory
Picodes changed the severity to 2 (Med Risk)
Medium severity seems appropriate here under "function of the protocol or its availability could be impacted".
There is now no limit to the number of tokens that can be proposed for whitelisting.
Also, any whitelisting proposal that has reached quorum with sufficient approval votes can be executed.
https://github.com/othernet-global/salty-io/commit/ccf4368fcf1777894417fccd2771456f3eeaa81c
Picodes marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/dao/Proposals.sol#L162-L177 https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/dao/Proposals.sol#L81-L118
Vulnerability details
Summary
The creation of token whitelisting proposals isn limited to 5 proposals; after which it is DOS'd until proposals are voted on and finalized.
Vulnerability Details
In
proposeTokenWhitelisting()
when a proposal is created to whitelist a new token; theballotId
is added to_openBallotsForTokenWhitelisting
. There is then a check to ensure that the length of_openBallotsForTokenWhitelisting
does not exceeddaoConfig.maxPendingTokensForWhitelisting()
.Where
maxPendingTokensForWhitelisting
has been reached, new proposals will not be created for whitelisting tokens. This could happen by accident or by malicious actions on the part of users manipulating the system.By default
maxPendingTokensForWhitelisting
is set to 5 but it could be decreased via vote to 3 which would make the issue even more common place.POC
Add the test function below to
DAO.t.sol
and run:Impact
Malicious users can clog the whitelisting queue with fake token proposals, blocking the addition of genuine tokens and DOSing core functionality of the protocol. This can restrict the ability of the protocol to operate and it's popularity with users. Although a user can only create one proposal per address at a time; a coordinated group of just five could block the functionality indefinitely.
Tools Used
Manual Review Foundry Testing
Recommendations
Allow a trusted authority to remove proposals which they deem to be malicious such as proposals for fake tokens.
Assessed type
DoS