Closed c4-bot-10 closed 1 month ago
This is a known issue and one of the reasons why Guardian is a trusted role. Additionally, this is available in our past reports (see ones by Trust for example).
See page 26 of this report
thereksfour marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/plugins/governance/Governance.sol#L185
Vulnerability details
Description
The
StRSR
token gives voting power to the RSR stakers on an individual RToken. In some cases, theStRSR
is re-issued at a 1:1 rate, which starts a new era of the staking, when balances are zeroed out, and the total supply ofStRSR
is reset. This new period can be potentially dangerous for the respective RToken system since both quorum and proposer threshold are percentage values based on the total supply ofStRSR
. Let's examine the scenarios in more detail.Proof of concept
https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/plugins/governance/Governance.sol#L185
There is a strict rule in governance that proposals must start in the same era as they are executed or queued. This is logical; since the votes are reset during an era bump, the proposals should be discarded as well. However, there is a little flaw: the time used to judge whether a proposal is from the same era is based on its
proposalSnapshot
, i.e., when the voting for that proposal started.This seems counterintuitive due to the previously mentioned rule and the fact that the proposer of this proposal might not have the voting power to be a proposer anymore. The latter might be negligible since such a situation might also happen by buying, proposing, and dumping the voting power, but it is still counterintuitive. However, the real problem with this is that when the proposal was created, the voting power was distributed in some way that is no longer true. However, if voting started shortly after a new era, the voting power would be reset and might be easier to manipulate so that somebody could profit from the system during such times. This also leads us to another scenario.
Since the proposal threshold can even be zero during this time (e.g., one block after a new era begins and the total supply of
StRSR
is 0, so is the proposal threshold), this opens up room for 1) spam proposals, as no stake is needed to create a proposal as well as 2) malicious proposals. Note that the "power" can now be obtained pretty easily, and the governance/staking might need some time to recover to a normal level.Impact and likelihood
We believe the role of the
CANCELLER
plays a crucial role in mitigating such issues, but if we assume that (as stated in the docs)It is acceptable if it is relatively slow to act
, this issue might still pose a considerable risk to the protocol and its respective systems. Considering the presence of this role, the likelihood of such an issue should be judged LOW, while the impact should be judged HIGH. Therefore, the severity of this issue should be considered as MEDIUM.Recommendation
proposalSnapshot
instartedInSameEra
Assessed type
Governance