c4-judge
commented
4 months ago Picodes marked the issue as satisfactory
Open c4-bot-10 opened 4 months ago
c4-judge
commented
4 months ago Picodes marked the issue as satisfactory
Lines of code
Vulnerability details
C4 Issue
https://github.com/code-423n4/2024-01-salty-findings/issues/556
Comments
The DAO's process for finalizing token whitelisting proposals contains a flaw where it only allows the proposal with the highest number of votes to proceed, without considering whether competing ballots have passed their voting deadline. This method overlooks scenarios where a ballot with more current "Yes" votes could eventually be rejected as "No" votes accumulate before its deadline. As a result, proposals that have already reached their deadline and achieved quorum could be unjustly delayed if a newer proposal temporarily garners more "Yes" votes, even if it's eventually defeated. This creates an opportunity for malicious actors to intentionally delay the finalization of legitimate proposals by submitting competing ones close to the deadline of the original proposal, thereby gaming the system to push finalization further into the future.
Mitigation
https://github.com/othernet-global/salty-io/commit/ccf4368
The mitigation effectively removed entirely the restrictions on proposals for token whitelisting. now an unlimited number of proposals for token whitelisting can be made.
Conclusion
LGTM