Open c4-bot-10 opened 4 months ago
In the original implementation, malicious user can create a proposal ending in _confirm to block SET_CONTRACT and SET_WEBSITE_URL proposals being confirmed.
_confirm
SET_CONTRACT
SET_WEBSITE_URL
commit 5aa1bc1 The mitigation named the confirmation proposal starting with confirm_ instead of ending with _confirm: https://github.com/othernet-global/salty-io/blob/5aa1bc1ddadd67cd875de932633948af25ff8957/src/dao/DAO.sol#L185 https://github.com/othernet-global/salty-io/blob/5aa1bc1ddadd67cd875de932633948af25ff8957/src/dao/DAO.sol#L189 The original issue was resolved.
confirm_
Confirmed
Picodes marked the issue as satisfactory
Picodes marked the issue as confirmed for report
Lines of code
Vulnerability details
Comments
In the original implementation, malicious user can create a proposal ending in
_confirm
to blockSET_CONTRACT
andSET_WEBSITE_URL
proposals being confirmed.Mitigation
commit 5aa1bc1 The mitigation named the confirmation proposal starting with
confirm_
instead of ending with_confirm
: https://github.com/othernet-global/salty-io/blob/5aa1bc1ddadd67cd875de932633948af25ff8957/src/dao/DAO.sol#L185 https://github.com/othernet-global/salty-io/blob/5aa1bc1ddadd67cd875de932633948af25ff8957/src/dao/DAO.sol#L189 The original issue was resolved.Conclusion
Confirmed