Closed c4-bot-8 closed 1 month ago
This is a known issue that Trust has raised before.
thereksfour marked the issue as unsatisfactory: Out of scope
Hi @thereksfour , @tbrent , @akshatmittal , Thanks for your review.
After carefully reviewing the issue from Trust, I realized that these are entirely different issues.
In the first part, they described that a new era
can be created in two ways.
When RSR stakers are wiped out due to their RSR being seized to restore collateralization, a
new era is entered. In addition, a new era can be entered manually if the stakeRate becomes
unsafe. To enter a new era, the Governance must call StRSR.resetStakes(). The function
documentation describes a standoff scenario whereby griefers can stake enough RSR to vote
against the reset.
This part is not related to my report.
In the second part, they discussed insufficient governance parameters
.
I believe they were referring to issues like a short voting period
, voting delays
, and similar concerns.
In addition, if Governance parameters are chosen unsafely, there may be insufficient time for
users to stake again after an era change such that an attacker could more easily attack the
Governance by staking a large amount of RSR.
More generally users are incentivized to stake RSR by receiving a share of the revenue that
the RToken generates. If the economic incentives leave stakers better off staking in another
RToken or selling their RSR, this makes the RToken vulnerable to takeovers.
However, I described the issue under correct governance parameters
.
Even if all parameters, such as voting delay
and voting period
, are properly set, this issue can still occur when StRSR
switches to a new era
.
If there is no switching, governance will function correctly.
However, switching to a new era
can happen by seizing StRSR
, not by a governance call.
Malicious proposers
can continuously submit bad proposals
.
In normal situations, honest parties can prevent this unless the malicious party has the majority of votes
.
However, if StRSR
switches to a new era
during the voting delay
, the voting power
of all users is reset, and the malicious party can stake some RSR
to gain voting power
and pass their bad proposals
.
As I described in my report, the honest parties do not have enough time to prevent this due to the insufficient remaining voting delay
.
The comment from 3docSec in issue 22 is correct.
This finding describes that proposals at the edge of the era may have shorter VOTING DELAY due to voting resets when crossing eras, which has a different root cause than the known issue. Tend to upgrade it to M.
After discussions with sponsors , sponsors indicated that it was intentional behavior, they tend to keep proposals created before era change, and guardian will cancel malicious proposals.
when the era changes, the power is reset, but any votes that were cast before the era change do not get reset
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/StRSR.sol#L452 https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/plugins/governance/Governance.sol#L131
Vulnerability details
Impact
In governance systems, there’s always a risk of malicious users creating harmful
proposals
. It’s crucial to prevent theseproposals
from being executed, which is the primary role of the governor. For a maliciousproposal
to succeed, the malicious user must have enough (e.x.51%
of)votes
at the time thevote
begins. The governor takes asnapshot
of all users'votes
at that moment.When a malicious
proposal
is made, honest users will work to gather morevotes
than the malicious party. To help with this, avoting delay
exists. In theReserve Governor
, theminimum voting delay
is set to1 day
. However, there are situations where thisdelay
might not be effective, allowing malicious users to still gather enoughvotes
to pass their harmfulproposals
. This is really dangerous.Proof of Concept
Let's say the
current era
inStRSR
is2
, and a malicious user has enoughvotes
to create anyproposal
they want. They create a maliciousproposal
attime T
. If thevoting delay
isD
, thevote
will begin atT + D
, and thesnapshot
ofvotes
for thisproposal
will beT + D
(line 290, 295
).Honest users have enough
votes
to defeat thisproposal
or to gather morevotes
than the malicious user.However, if the
StRSR
moves to thenext era
(era 3
) atT + D - 1
(or any time close to thevote start
), all users'votes
fromera 2
will disappear (line 452
).The malicious user can then quickly
stake
someRSR
to get newvotes
, while the honest users don’t have enough time to gather sufficientvotes
. In this case, the actualvoting delay
might act as short as1 second
, for example.When the
vote
begins, the malicious user has enoughvotes
to pass theirproposal
.The
proposalSnapshot
function returns thevote start time
, which isT + D
.Since
era 3
has just begun atT + D - 1
, thequorum
will be small, mostly consisting of the malicious users'votes
.If the malicious users cast their
votes
for their ownproposal
, thequorum
will be reached.And the
proposal
will be marked as successful.At this point, the
_cancel
function will revert because theera
atT + D
(when thevote
starts) is now3
, matching thecurrent era
(line 131
).Even the owner cannot cancel these
proposals
.Tools Used
Recommended Mitigation Steps
proposal creation time
instead of thevote start time
in thestartedInSameEra
function.owner
to cancel anyproposal
.Assessed type
Invalid Validation