c4-pre-sort
commented
7 months ago minhquanym marked the issue as primary issue
Open c4-bot-5 opened 7 months ago
c4-pre-sort
commented
7 months ago minhquanym marked the issue as primary issue
c4-pre-sort
commented
7 months ago minhquanym marked the issue as sufficient quality report
dantaik
commented
6 months ago I think this is a valid bug report, we have fixed it by using OZ 4.9.6.
c4-sponsor
commented
6 months ago dantaik (sponsor) confirmed
c4-judge
commented
6 months ago 0xean marked the issue as satisfactory
c4-judge
commented
6 months ago 0xean marked the issue as selected for report
genesiscrew
commented
6 months ago Hi @0xean! Although the issue is valid, according to supreme court ruling it is deemed OOS, as was the case in similar issue in previous autonolas audit. https://docs.code4rena.com/awarding/judging-criteria/supreme-court-decisions-fall-2023#verdict-fault-in-out-of-scope-library-impact-in-in-scope-contract-to-reward-or-not-to-reward
https://github.com/code-423n4/2023-12-autonolas-findings/issues/357
0xean
commented
6 months ago thats a disappointing ruling, but will follow the rules here.
0xean
commented
6 months ago marking down to QA so its still noted in reports.
c4-judge
commented
6 months ago 0xean changed the severity to QA (Quality Assurance)
c4-judge
commented
6 months ago 0xean marked the issue as grade-b
c4-judge
commented
6 months ago 0xean marked the issue as not selected for report
Lines of code
https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/L1/gov/TaikoGovernor.sol#L69-L86
Vulnerability details
Impact
TaikoGovernorcontract already overrides theproposemethod becouse a remediation to an existing bug in the inherited openzeppelinGovernorCompatibilityBravoUpgradeablecontract but at the same time the current implementation misses another bug as a denial of service attack.Proof of Concept
As mentioned in the OpenZeppelin security advison the used version has a DoS vulnerability.
The situation is best explained in this blog. As a summary:
The exposed cancel method allows a malicious user to disrupt the governance proposal. There are two participants involved in the attack: an attacker that does not want a proposal to pass and a proposer that wants to submit a new proposal.
The attacker can continue performing the attack as long as they wish. Each time the cost is only two transactions, one of which must be a frontrun. This cost is negligible for proposals which seriously impact the working of a protocol.
The current propose method has no remediation for this DoS attack:
https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/L1/gov/TaikoGovernor.sol#L69-L86
Tools Used
Manual review
Recommended Mitigation Steps
The upstream patch can be integrated in the current implementation just was done with the patch of invalid signatures length.
Assessed type
Governance