Open c4-bot-1 opened 1 month ago
@alex-ppg When #495 is fixed, it's going to make the issue described in this report a ready vulnerability. Please let me know if you would need further context, and thank you for looking into this report.
Hey @mystery0x, thanks for your PJQA feedback! First of all, using the alleviation of a vulnerability as evidence of a submission's severity escalation is not accepted practice.
In any case, the submission does indeed detail a flaw in the code albeit a QA (L) one as we are talking about an administrative function that we can assume is responsibly invoked. As such, it cannot constitute a valid HM vulnerability.
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L129-L139 https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L15-L18
Vulnerability details
Impact
While the default values for
APPROVE_THRESHOLD
andDISAPPROVE_THRESHOLD
are both set to 3, the issue arises when these thresholds are modified. Given that the proposer’s approval is automatically counted, only 4 out of the 5 designated addresses can participate in the disapproval process. If the thresholds are increased to e.g. 4, proposals can become stuck if only 2 approvals (2 + 1 in this case) or 2 disapprovals are obtained, as the required threshold cannot be met. This situation prevents the proposal from progressing or being terminated, which can disrupt the governance process and lead to operational inefficiencies. Without a mechanism to reset or resolve a stuck proposal, the contract's functionality can be severely impacted.Proof of Concept
Here's a typical scenario:
https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L181-L189 https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L214-L222
https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L129-L139
ProposalInProgressError
.https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L133-L134 https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L157-L158
Tools Used
Manual
Recommended Mitigation Steps
Ensure that the sum of
APPROVE_THRESHOLD
andDISAPPROVE_THRESHOLD
does not exceed the total number of designated addresses plus one (to account for the proposer’s automatic approval).Assessed type
Invalid Validation