0xhashiman - Users can vote on proposals using flash loans

[sherlock-admin3]

0xhashiman

medium

Users can vote on proposals using flash loans

Summary

The ZeroGovernor contract inherits all the logic from ThresholdGovernor which have external function that allow users to propose and execute proposals however in both of those contract the value of _votingDelay is 0 which means users can propose and vote at the same block.

Vulnerability Detail

The function _votingDelay() in ThresholdGovernor returns the number of clock values that must elapse before voting begins for a newly created proposal but it returns 0 as you can see in this code. If the execution of the proposal can be on the same block by any chance malicious users can request floashloans and vote in favor for their proposal but since their is a time before the proposing and executing even 1 block can reduce the chances of this attack.

Impact

Since the project is hardcoding the value of voting delay to 0, users can vote at the same block as creating the proposal they can leverage flashloans in order to achieve this also.

Code Snippet

_votingDelay() https://github.com/sherlock-audit/2023-10-mzero/blob/main/ttg/src/abstract/ThresholdGovernor.sol#L171-L173 usage of _votingDelay to determine the votingStart https://github.com/sherlock-audit/2023-10-mzero/blob/main/ttg/src/abstract/BatchGovernor.sol#L622-L626

Tool used

Manual Review

Recommendation

I recommend the project to modify this value instead of 0 use at least 1 block between proposing and executing.

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

but voting isn't executing the proposal(even if possible)

[nevillehuang]

Invalid, votes are always retrieved as voting power from previous epoch during voting period, so voting power cannot be artificially inflated via flashloaned