Closed sherlock-admin3 closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
but voting isn't executing the proposal(even if possible)
Invalid, votes are always retrieved as voting power from previous epoch during voting period, so voting power cannot be artificially inflated via flashloaned
0xhashiman
medium
Users can vote on proposals using flash loans
Summary
The ZeroGovernor contract inherits all the logic from ThresholdGovernor which have external function that allow users to propose and execute proposals however in both of those contract the value of _votingDelay is 0 which means users can propose and vote at the same block.
Vulnerability Detail
The function _votingDelay() in ThresholdGovernor returns the number of clock values that must elapse before voting begins for a newly created proposal but it returns 0 as you can see in this code. If the execution of the proposal can be on the same block by any chance malicious users can request floashloans and vote in favor for their proposal but since their is a time before the proposing and executing even 1 block can reduce the chances of this attack.
Impact
Since the project is hardcoding the value of voting delay to 0, users can vote at the same block as creating the proposal they can leverage flashloans in order to achieve this also.
Code Snippet
_votingDelay() https://github.com/sherlock-audit/2023-10-mzero/blob/main/ttg/src/abstract/ThresholdGovernor.sol#L171-L173 usage of _votingDelay to determine the votingStart https://github.com/sherlock-audit/2023-10-mzero/blob/main/ttg/src/abstract/BatchGovernor.sol#L622-L626
Tool used
Manual Review
Recommendation
I recommend the project to modify this value instead of 0 use at least 1 block between proposing and executing.