Closed sherlock-admin4 closed 5 months ago
While true, I'd argue that this is of low severity, or actually not an issue at all because:
setProposalFee
is always a valid and executable proposal within the context of the Standard Governor.If anything, the whitepaper needs updating for more detail, because that sentence was added as an FAQ, rather than act as a detailed statement of absolute mechanics of the contracts.
This is a design decision and tradeoff. Reset is a very serious, rare, and fundamental event. Also, this situation won't lead to loss of funds, so it cannot be classified as a Sherlock issue.
@deluca-mike @toninorair I believe this issue highlights a correct inconsistency during the time of the audit. Based on the information provided, proposal fees are not supposed to be returned after RESET events, but the watson highlighted an edge case scenario that allows it to. So I am inclined to keep medium severity.
@nevillehuang since this inconsistency doesn't lead to the loss of funds, I don't think it should be labeled as medium. Low/Informational would be more appropriate.
0xpiken
medium
The proposer of the
setProposalFee()
has a chance to retrieve their proposal fee after the RESET event, while others do not have this opportunity.Summary
When RESET event happens,
PowerToken
,StandardGovernor
andEmergencyGovernor
will be redeployed. Certora identified one problem ofproposalFee
:The sponsor stated in Audit review that it is by design.
StandardGovernor
supports five types of proposals:However, the proposal
setProposalFee
might have chance to be executed successfully and return the proposal fee to the proposer while other proposals will revert.Vulnerability Detail
When a proposal in
StandardGovernor
succeeds, any one can callStandardGovernor#execute()
to execute the succeeded proposal. Once executed, the proposal fee will be returned to the proposer. Let's take a look howaddToList
proposal is executed: First,addToList()
can only be called byStandardGovernor
itself:Then,
registrar#addToList()
will be called to finish the rest:The function
registrar#addToList()
can only be accessed byStandardGovernor
orEmergencyGovernor
. EitherStandardGovernor
orEmergencyGovernor
will be always thelastDeploy()
of its deployer:In case of RESET event, the proposals in old
StandardGovernor
should fail to execute due to access control:standardGovernorDeployer.lastDeploy()
has been updated.However,
setProposalFee()
doesn't have to access any call inregistrar
. It can be executed without any restrictions:Copy below codes to resetToPowerHolders.t.soll and run
forge test --match-test test_ExecuteOldProposalAfterResetToPowerHolders
Impact
When a RESET event happens, the response mechanism for unexpired proposals in old
StandardGovernor
lacks consistency, resulting in the design being broken.Code Snippet
https://github.com/sherlock-audit/2023-10-mzero/blob/main/ttg/src/StandardGovernor.sol#L225-L227
Tool used
Manual Review
Recommendation
The design should remain consistent. Either all proposal fees should be sent to the vault, or they should be returned to the proposers.