search

code-423n4 / 2024-05-munchables-findings

3 stars 1 forks source link

a proposal can be disapproved and then approved again #484

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L177-L243

Vulnerability details

Impact

If a proposal is disapproved by the disapproveUSDPrice() function, and then the approveUSDPrice() function is called, there is currently no check to prevent the proposal from being reapproved. As a result, it is possible for someone to vote again and change the status from disapproved to approved. Additionally, the counters usdUpdateProposal.disapprovalsCount++ and usdUpdateProposal.approvalsCount++ are updated incorrectly.

Proof of Concept

In disapproveUSDPrice() there are two checks implemented to prevent someone from voting twice on a proposal.

        if (usdUpdateProposal.approvals[msg.sender] == _usdProposalId) 
            revert ProposalAlreadyApprovedError();
        if (usdUpdateProposal.disapprovals[msg.sender] == _usdProposalId)
            revert ProposalAlreadyDisapprovedError();

https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L225-L228

but in approveUSDPrice() there is only one check 

 if (usdUpdateProposal.approvals[msg.sender] == _usdProposalId)
            revert ProposalAlreadyApprovedError();

sir 0xinsanity accepts this in Curious Private Thread

" it is possible but it shouldn’t be "

Tools Used

VsCode

Recommended Mitigation Steps

In approveUSDPrice()The disapproval check should also be added.

if (usdUpdateProposal.disapprovals[msg.sender] == _usdProposalId)
            revert ProposalAlreadyDisapprovedError();

Assessed type

Invalid Validation

c4-judge commented 3 months ago

alex-ppg marked the issue as satisfactory