Open c4-bot-5 opened 7 months ago
minhquanym marked the issue as primary issue
minhquanym marked the issue as sufficient quality report
I think this is a valid bug report, we have fixed it by using OZ 4.9.6.
dantaik (sponsor) confirmed
0xean marked the issue as satisfactory
0xean marked the issue as selected for report
Hi @0xean! Although the issue is valid, according to supreme court ruling it is deemed OOS, as was the case in similar issue in previous autonolas audit. https://docs.code4rena.com/awarding/judging-criteria/supreme-court-decisions-fall-2023#verdict-fault-in-out-of-scope-library-impact-in-in-scope-contract-to-reward-or-not-to-reward
https://github.com/code-423n4/2023-12-autonolas-findings/issues/357
thats a disappointing ruling, but will follow the rules here.
marking down to QA so its still noted in reports.
0xean changed the severity to QA (Quality Assurance)
0xean marked the issue as grade-b
0xean marked the issue as not selected for report
Lines of code
https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/L1/gov/TaikoGovernor.sol#L69-L86
Vulnerability details
Impact
TaikoGovernor
contract already overrides thepropose
method becouse a remediation to an existing bug in the inherited openzeppelinGovernorCompatibilityBravoUpgradeable
contract but at the same time the current implementation misses another bug as a denial of service attack.Proof of Concept
As mentioned in the OpenZeppelin security advison the used version has a DoS vulnerability.
The situation is best explained in this blog. As a summary:
The exposed cancel method allows a malicious user to disrupt the governance proposal. There are two participants involved in the attack: an attacker that does not want a proposal to pass and a proposer that wants to submit a new proposal.
The attacker can continue performing the attack as long as they wish. Each time the cost is only two transactions, one of which must be a frontrun. This cost is negligible for proposals which seriously impact the working of a protocol.
The current propose method has no remediation for this DoS attack:
https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/L1/gov/TaikoGovernor.sol#L69-L86
Tools Used
Manual review
Recommended Mitigation Steps
The upstream patch can be integrated in the current implementation just was done with the patch of invalid signatures length.
Assessed type
Governance