search

sherlock-audit / 2023-01-uxd-judging

3 stars 1 forks source link

HonorLt - Vulnerable GovernorVotesQuorumFraction version #423

Open github-actions[bot] opened 1 year ago

github-actions[bot] commented 1 year ago

HonorLt

high

Vulnerable GovernorVotesQuorumFraction version

Summary

The protocol uses an OZ version of contracts that contain a known vulnerability in government contracts.

Vulnerability Detail

UXDGovernor contract inherits from GovernorVotesQuorumFraction:

 contract UXDGovernor is
    ReentrancyGuard,
    Governor,
    GovernorVotes,
    GovernorVotesQuorumFraction,
    GovernorTimelockControl,
    GovernorCountingSimple,
    GovernorSettings

An OZ security recommendation has revealed a known vulnerability in this contract: https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-xrc4-737v-9q75

It was patched in version 4.7.2, but this protocol uses an older version: "@openzeppelin/contracts": "^4.6.0"

Impact

The potential impact is described in the OZ advisory. This issue was assigned with a severity of High from OZ, so I am sticking with it in this submission.

Code Snippet

https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/governance/UXDGovernor.sol#L37

Tool used

Manual Review

Recommendation

Update the OZ version of contracts to version >=4.7.2 or at least follow the workarounds of OZ if not possible otherwise.

WarTech9 commented 1 year ago

This was already fixed here: https://github.com/UXDProtocol/uxd-evm/commit/dcaa0e857111f3f7946ee5c5a188dbb23ca80859

hrishibhat commented 1 year ago

This requires certain scenario where the previous quorum should have failed & the quorum fraction has to be changed post which this issue could be valid. Considering this issue a valid medium.

IAm0x52 commented 1 year ago

Fix looks good. Contract version has been updated