Closed c4-bot-9 closed 1 month ago
dupe with #17
thereksfour marked the issue as unsatisfactory: Out of scope
Hi @thereksfour and @tbrent,
I agree this and #17 should be duped together; I however would like to point out that the issues pointed by the Trust audit are different:
The function documentation describes a standoff scenario whereby griefers can stake enough RSR to vote against the reset.
I guess there is no question about this one being a different topic;
In addition, if Governance parameters are chosen unsafely, there may be insufficient time for users to stake again after an era change such that an attacker could more easily attack the Governance by staking a large amount of RSR.
This second issue is more similar, but highlights a different root cause:
This report and #17 are instead, in my opinion, a different issue, because:
votingDelay
)thereksfour marked the issue as duplicate of #17
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/StRSRVotes.sol#L95 https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/plugins/governance/Governance.sol#L185
Vulnerability details
The Governance contract bases the weight it gives to users' votes on the balance they held at the time the proposal was opened up for voting:
The
getPastVotes
function gets the StRSR balance of a user at the giventimepoint
.Because of how StRSR staking eras are implemented, a RSR seizing action can reset everyone's balance, and their voting power with them.
Proof of Concept
This opens up for a possible attack vector, starting from a specific scenario:
MAX_STAKE_RATE
valueIn this scenario, a malicious actor can submit a malicious proposal (or multiple ones over time) that will start in
MIN_VOTING_DELAY
(1 day) or after.After this time is almost over:
BackingManager.rebalance
(as it's permissionless)Impact
RTokens are vulnerable to rare and elaborate, but still possible, governance attacks.
Tools Used
Code review, Foundry
Recommended Mitigation Steps
Consider modifying the
Governance.startedInSameEra
function to also require that the proposal was created in the current era.This will give honest participants at least one full day after an era reset to build up a fair and representative voting power.
Assessed type
Governance