search

sherlock-audit / 2023-10-mzero-judging

3 stars 2 forks source link

kgothatso - infinite function can finish gas and cause DOS #69

Closed sherlock-admin3 closed 5 months ago

sherlock-admin3 commented 5 months ago

kgothatso

high

infinite function can finish gas and cause DOS

Summary

the function can run forever and revert any vote from being registered.

Vulnerability Detail

this function has a recursive call to it has and has no condition to stop it

  function _castVote(
        address voter_,
        uint256 proposalId_,
        uint8 support_,
        string memory reason_
    ) internal returns (uint256 weight_) {
        ProposalState state_ = state(proposalId_);

        if (state_ != ProposalState.Active) revert ProposalInactive(state_);

        unchecked {
            // NOTE: Can be done unchecked since `voteStart` is always greater than 0.
            weight_ = getVotes(voter_, _proposals[proposalId_].voteStart - 1);
        }

@>        _castVote(voter_, weight_, proposalId_, support_, reason_);
    }

Impact

1.can revert when it calls its selfs again, can fish the gas because of an infinite loop and can cast many votes

  1. All proposals can fail because cast votes is not working as intended
  2. incorrect number of votes can be assigned

    Code Snippet

https://github.com/sherlock-audit/2023-10-mzero/blob/main/ttg/src/abstract/BatchGovernor.sol#L457

Tool used

Manual Review

Recommendation

remove this line of code

  function _castVote(
        address voter_,
        uint256 proposalId_,
        uint8 support_,
        string memory reason_
    ) internal returns (uint256 weight_) {
        ProposalState state_ = state(proposalId_);

        if (state_ != ProposalState.Active) revert ProposalInactive(state_);

        unchecked {
            // NOTE: Can be done unchecked since `voteStart` is always greater than 0.
            weight_ = getVotes(voter_, _proposals[proposalId_].voteStart - 1);
        }

-        _castVote(voter_, weight_, proposalId_, support_, reason_);
    }
nevillehuang commented 5 months ago

Invalid, no PoC required for gas griefing issues required by sherlock

deluca-mike commented 5 months ago

Also invalid because the _castVote functions are not the same, so it is not recursive.