search

code-423n4 / 2024-03-taiko-findings

3 stars 2 forks source link

The OZ library used in `TaikoGovernor.sol` has a security issue which could lead to proposals creation being blocked by frontrunning them #311

Open c4-bot-9 opened 3 months ago

c4-bot-9 commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/L1/gov/TaikoGovernor.sol#L6 https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/package.json#L38-L39

Vulnerability details

Impact

The TaikoGovernor.sol uses OZ "@openzeppelin/contracts-upgradeable/governance/compatibility/GovernorCompatibilityBravoUpgradeable.sol" version 4.8.2, which has a medium severity attached, that could lead to DoS in the case of proposal creation.

Proof of Concept

As you can see TaikoGovernor.sol uses "@openzeppelin/contracts-upgradeable/governance/compatibility/GovernorCompatibilityBravoUpgradeable.sol" and "@openzeppelin/contracts-upgradeable/governance/GovernorUpgradeable.sol" version 4.8.2 https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/package.json#L38-L39 but if we look closely on this version we can see that it has a medium severity https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5h3x-9wvq-w4m2 , that specifies that proposal can be easily front-run by anyone, which could lead to Dos. In the codebase there is no actual protection against it since in both propose functions the main OZ function is called with super keyword as can be seen here https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/L1/gov/TaikoGovernor.sol#L58 https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/L1/gov/TaikoGovernor.sol#L81-L85

Tools Used

Manual review

Recommended Mitigation Steps

Use the OZ library that has at least the version of 4.9.1, since that was the version that the problem was patched, to circumvent this issue.

Assessed type

Library

c4-pre-sort commented 3 months ago

minhquanym marked the issue as duplicate of #304

c4-judge commented 3 months ago

0xean marked the issue as satisfactory

c4-judge commented 3 months ago

0xean changed the severity to QA (Quality Assurance)

c4-judge commented 3 months ago

0xean marked the issue as grade-b