search

code-423n4 / 2024-07-reserve-findings

1 stars 0 forks source link

Governance might be vulnerable during era transitions #40

Closed c4-bot-10 closed 1 month ago

c4-bot-10 commented 1 month ago

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/plugins/governance/Governance.sol#L185

Vulnerability details

Description

The StRSR token gives voting power to the RSR stakers on an individual RToken. In some cases, the StRSR is re-issued at a 1:1 rate, which starts a new era of the staking, when balances are zeroed out, and the total supply of StRSR is reset. This new period can be potentially dangerous for the respective RToken system since both quorum and proposer threshold are percentage values based on the total supply of StRSR. Let's examine the scenarios in more detail.

Proof of concept

https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/plugins/governance/Governance.sol#L185

  1. Proposal from the previous era

There is a strict rule in governance that proposals must start in the same era as they are executed or queued. This is logical; since the votes are reset during an era bump, the proposals should be discarded as well. However, there is a little flaw: the time used to judge whether a proposal is from the same era is based on its proposalSnapshot, i.e., when the voting for that proposal started.

This seems counterintuitive due to the previously mentioned rule and the fact that the proposer of this proposal might not have the voting power to be a proposer anymore. The latter might be negligible since such a situation might also happen by buying, proposing, and dumping the voting power, but it is still counterintuitive. However, the real problem with this is that when the proposal was created, the voting power was distributed in some way that is no longer true. However, if voting started shortly after a new era, the voting power would be reset and might be easier to manipulate so that somebody could profit from the system during such times. This also leads us to another scenario.

  1. New proposals

Since the proposal threshold can even be zero during this time (e.g., one block after a new era begins and the total supply of StRSR is 0, so is the proposal threshold), this opens up room for 1) spam proposals, as no stake is needed to create a proposal as well as 2) malicious proposals. Note that the "power" can now be obtained pretty easily, and the governance/staking might need some time to recover to a normal level.

Impact and likelihood

We believe the role of the CANCELLER plays a crucial role in mitigating such issues, but if we assume that (as stated in the docs) It is acceptable if it is relatively slow to act, this issue might still pose a considerable risk to the protocol and its respective systems. Considering the presence of this role, the likelihood of such an issue should be judged LOW, while the impact should be judged HIGH. Therefore, the severity of this issue should be considered as MEDIUM.

Recommendation

  1. Consider implementing a cooldown period for the governance after a new era begins. No proposals should be made during this time, and no voting should occur. This time would serve the system to recover the ability to vote in the system's best interest again
  2. Consider using the proposal's creation time instead of proposalSnapshot in startedInSameEra
  3. Consider enforcing a minimum amount of voting power in the proposal threshold if the total supply happens to be zero

Assessed type

Governance

akshatmittal commented 1 month ago

This is a known issue and one of the reasons why Guardian is a trusted role. Additionally, this is available in our past reports (see ones by Trust for example).

tbrent commented 1 month ago

See page 26 of this report

c4-judge commented 1 month ago

thereksfour marked the issue as unsatisfactory: Out of scope