The DAO's process for finalizing token whitelisting proposals contains a flaw where it only allows the proposal with the highest number of votes to proceed, without considering whether competing ballots have passed their voting deadline. This method overlooks scenarios where a ballot with more current "Yes" votes could eventually be rejected as "No" votes accumulate before its deadline. As a result, proposals that have already reached their deadline and achieved quorum could be unjustly delayed if a newer proposal temporarily garners more "Yes" votes, even if it's eventually defeated. This creates an opportunity for malicious actors to intentionally delay the finalization of legitimate proposals by submitting competing ones close to the deadline of the original proposal, thereby gaming the system to push finalization further into the future.
The mitigation effectively removed entirely the restrictions on proposals for token whitelisting. now an unlimited number of proposals for token whitelisting can be made.
Lines of code
Vulnerability details
C4 Issue
https://github.com/code-423n4/2024-01-salty-findings/issues/556
Comments
The DAO's process for finalizing token whitelisting proposals contains a flaw where it only allows the proposal with the highest number of votes to proceed, without considering whether competing ballots have passed their voting deadline. This method overlooks scenarios where a ballot with more current "Yes" votes could eventually be rejected as "No" votes accumulate before its deadline. As a result, proposals that have already reached their deadline and achieved quorum could be unjustly delayed if a newer proposal temporarily garners more "Yes" votes, even if it's eventually defeated. This creates an opportunity for malicious actors to intentionally delay the finalization of legitimate proposals by submitting competing ones close to the deadline of the original proposal, thereby gaming the system to push finalization further into the future.
Mitigation
https://github.com/othernet-global/salty-io/commit/ccf4368
The mitigation effectively removed entirely the restrictions on proposals for token whitelisting. now an unlimited number of proposals for token whitelisting can be made.
Conclusion
LGTM