Proxy managers can set themselves as proxy

hats-bug-reporter[bot] commented 7 months ago

Github username: -- Twitter username: 97Sabit Submission hash (on-chain): 0xef1046a72d84382edfbf2e15abd9b886db3129210aee953ad1c16dc2a57ce72f Severity: high

Description: Description\ Proxy managers are able to set themselves as a user's voting proxy by calling setVoterProxy. There is no restriction on the endTimestamp they can set.

This allows a proxy manager to set themselves as a user's proxy with an endTimestamp very far in the future (e.g. 100 years from now). Even if the user later removes the proxy manager's permissions, the manager will still be set as the user's proxy and able to use their voting power until the end timestamp is reached.

For instance:

User Alice grants Bob permission as a proxy manager via approveProxyManager
Bob calls setVoterProxy setting themselves as the proxy for Alice, with a maxPower of 10% of Alice's voting power, and an endTimestamp of January 1, 2122.
Alice later decides to revoke Bob's proxy manager permissions by calling revokeProxyManager (for instance).
However, Bob is still set as Alice's proxy with 90% of her voting power until January 1, 2122.
Bob can continue voting on Alice's behalf even without her permission.

This allows proxy managers to indefinitely retain proxy access and voting rights, even after the user revokes their permissions. It undermines the ability for a user to revoke proxy manager permissions.

It is suggested that when revokeProxyManager (for instance) is called, also immediately clear any proxy set by that manager for the user.