An adversary can exploit the proposal system by creating "poisonous" proposals with names that preempt the naming convention for confirmation proposals (e.g., appending "_confirm" to the original proposal name). This tactic can block legitimate proposals for setting contract addresses and updating website URLs. Specifically, by submitting a proposal with a name designed to mimic the confirmation step of a legitimate process (such as "setContract:priceFeed1_confirm"), the attacker can prevent the legitimate creation and confirmation of critical proposals, like those updating price feed contracts essential for borrowing and liquidations, or modifying the DAO's website URL. This vulnerability exploits a check designed to ensure a confirmation proposal doesn't exist before creating a new proposal, but it can be manipulated to create a denial of service (DoS) situation,
The mitigation effectively dealt with this issue by prepending 'confirm_' to automatic confirmation ballots form setWebsiteURL and setContract proposals. With this change there is no way for attacker to mimic confirmation proposal.
Lines of code
Vulnerability details
C4 Issue
https://github.com/code-423n4/2024-01-salty-findings/issues/620
Comments
An adversary can exploit the proposal system by creating "poisonous" proposals with names that preempt the naming convention for confirmation proposals (e.g., appending "_confirm" to the original proposal name). This tactic can block legitimate proposals for setting contract addresses and updating website URLs. Specifically, by submitting a proposal with a name designed to mimic the confirmation step of a legitimate process (such as "setContract:priceFeed1_confirm"), the attacker can prevent the legitimate creation and confirmation of critical proposals, like those updating price feed contracts essential for borrowing and liquidations, or modifying the DAO's website URL. This vulnerability exploits a check designed to ensure a confirmation proposal doesn't exist before creating a new proposal, but it can be manipulated to create a denial of service (DoS) situation,
Mitigation
https://github.com/othernet-global/salty-io/commit/5aa1bc1ddadd67cd875de932633948af25ff8957
The mitigation effectively dealt with this issue by prepending 'confirm_' to automatic confirmation ballots form setWebsiteURL and setContract proposals. With this change there is no way for attacker to mimic confirmation proposal.
Tests
Tests were added and are passing
Conclusion
LGTM