search

code-423n4 / 2024-03-saltyio-mitigation-findings

0 stars 0 forks source link

M-02 MitigationConfirmed #48

Open c4-bot-5 opened 8 months ago

c4-bot-5 commented 8 months ago

Lines of code

Vulnerability details

Lines of code

Vulnerability details

C4 Issue

https://github.com/code-423n4/2024-01-salty-findings/issues/1009

Comments

The issue centers on the DAO's handling of CALL_CONTRACT ballots, specifically the lack of error handling for external contract calls that revert. If such a call fails, the system fails to mark the associated ballot as finalized. This oversight can trap the proposal initiator in a state where they are unable to submit new proposals due to the unfinalized status of their current proposal. ballots can only be finalized by calling the function below, which will never be possible:

proposals.markBallotAsFinalized(ballotID);

Mitigation

https://github.com/othernet-global/salty-io/commit/5f1a5206a04b0f3fe45ad88a311370ce12fb0135

The mitigation for this was simply to wrap the call to the contract in a try, catch, effectively allowing the ballot to be finalised even if contract call reverts.

Tests

tests were added to check for this and are passing.

Conclusion

LGTM

c4-judge commented 8 months ago

Picodes marked the issue as satisfactory