Open github-actions[bot] opened 1 year ago
This was already fixed here: https://github.com/UXDProtocol/uxd-evm/commit/dcaa0e857111f3f7946ee5c5a188dbb23ca80859
This requires certain scenario where the previous quorum should have failed & the quorum fraction has to be changed post which this issue could be valid. Considering this issue a valid medium.
Fix looks good. Contract version has been updated
HonorLt
high
Vulnerable GovernorVotesQuorumFraction version
Summary
The protocol uses an OZ version of contracts that contain a known vulnerability in government contracts.
Vulnerability Detail
UXDGovernor
contract inherits fromGovernorVotesQuorumFraction
:An OZ security recommendation has revealed a known vulnerability in this contract: https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-xrc4-737v-9q75
It was patched in version 4.7.2, but this protocol uses an older version: "@openzeppelin/contracts": "^4.6.0"
Impact
The potential impact is described in the OZ advisory. This issue was assigned with a severity of High from OZ, so I am sticking with it in this submission.
Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/governance/UXDGovernor.sol#L37
Tool used
Manual Review
Recommendation
Update the OZ version of contracts to version >=4.7.2 or at least follow the workarounds of OZ if not possible otherwise.