Open c4-bot-6 opened 6 months ago
Downgrading to Low as there is no security issue here for me. If the proposal hasn't reached quorum within the voting period it can be cancelled, which seems fair.
Picodes changed the severity to QA (Quality Assurance)
Added a comment regarding this in #94
Lines of code
https://github.com/othernet-global/salty-io/blob/main/src/dao/DAO.sol#L256
Vulnerability details
Summary & Impact
The mitigation for M-19 was meant to ensure to avoid trapping the proposers indefinitely if their proposal had still not met quorum after 30 days. Hence the function manuallyRemoveBallot() is introduced which can be called by anyone.
The fix incorrectly assumes that the owner will always want their proposal to be cancelled after 30 days. This is not true. If their proposal is quite close to reaching quorum, the owner may want to keep it alive for a few more days. However, a griefer or someone who has voted against the ballot can choose to delete the proposal.
This choice of deleting the ballot ought to remain in the hands of only the proposal owner.
Proof of Concept
yes
but this is still less than minimum required quorum.yes
votes. So she plans to wait for another couple of days.manuallyRemoveBallot()
to remove the proposal.Add the following tests inside
src/dao/tests/DAO.t.sol
and run viaCOVERAGE="yes" NETWORK="sep" forge test -vv --rpc-url https://rpc.ankr.com/eth_sepolia --mt test_30dayRemoval
to see the test pass:Recommended Mitigation Steps
Inside
manuallyRemoveBallot()
, ensure thatmsg.sender
is the owner of the proposal.Conclusion
New attack vector created due to the fix.
Assessed type
Access Control