Closed github-actions[bot] closed 1 year ago
We previously discussed and collectively decided to avoid having any proposal threshold in order to maximize participation. We already bound the number of sorts in the screening round to 10 or less by only sorting the current top ten, and only running sort if a proposal would qualify to be added to the top 10. Also, insertion sort runs faster than quick sort on the EVM. We could add a revert for any screening votes with a voting power of 0 (but that user would then just be wasting gas for no effect on others or the vote state), and this revert check would raise gas costs for all others.
Closing this based on Sponsor comment as the protocol that only to qualify into the top 10 would be sorted.
ctf_sec
medium
Adversary can create spam proposals and DOS the voting because the lack of proposalThreshold validation
Summary
Adversary can create spam proposals and DOS the voting because the low proposalThreshold
Vulnerability Detail
Below is the current implementation, the GrandFund.sol contract inherits from Governor
note the import and the constructor:
and
while a few method are overriden, the function proposalThreshold is not overriden and still hardcoded to 0
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/b1c2c43d6af6adf0b0a74cc77683b1d13d66e8bc/contracts/governance/Governor.sol#L196
When creating the proposal, the code does not validate if the creator has meet the voting power threshold as well
then anyone can spam proposals at low cost (only the gas cost needs to be paid.)
Impact
The problem is that after a lot of spam proposal is created, the function below is impacted:
which calls _insertionSortProposalsByVotes
which calls:
The insertion sort runs O(n^2), which means if there are 11 unscreened proposals, the loop needs to run 11 ** 11 = 121 times.
If the advesary create 100 spam proposals, the loop needs to run 10000 times, which is very cost inefficient.
The spammer can keep spam inrelevant proposal until the insertion sort is too gas costly to run, which block and revert screening process.
Code Snippet
https://github.com/sherlock-audit/2023-01-ajna/blob/main/ecosystem-coordination/src/grants/base/StandardFunding.sol#L535-L555
https://github.com/sherlock-audit/2023-01-ajna/blob/main/ecosystem-coordination/src/grants/base/StandardFunding.sol#L391-L436
Tool used
Manual Review
Recommendation
First of all, we recommend the proposal implement minimum voting power proposal threshold to block spam proposal creation.
Also consider eliminate 0 voted proposal before run sort.
and can implement the in-place quick sort to improve the running time of sorint from O(n^2) to O(nlogn)