search

sherlock-audit / 2024-06-makerdao-endgame-judging

1 stars 1 forks source link

0xaliyah - h-04 `VoteDelegate` Contract Governance roles 0xaliyah #19

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 1 month ago

0xaliyah

High

h-04 VoteDelegate Contract Governance roles 0xaliyah

Summary

0xaliyah

title: VoteDelegate Contract Governance Roles

  1. methods in the VoteDelegate contract are allow the delegate to execute votes on governance decisions without the emitting events or using time-lock mechanisms.

Vulnerability Detail

  1. the vote methods (vote(address[] memory yays) and vote(bytes32 slate)) and votePoll methods (votePoll(uint256 pollId, uint256 optionId) and votePoll(uint256[] calldata pollIds, uint256[] calldata optionIds)) have enable the delegate to making the impactful decisions for the protocol governance without transparency
  2. if this methods lack a two-step process with a mandatory time window, allowing immediate execution of actions which can lead to governance manipulation or misuse without perhaps prior notice

Impact

  1. highly impact and medium likeliness
  2. absence of event emissions and time-lock mechanisms lead to untraceable governance changes and potential misuse for a delegate authority

Code Snippet

poc 01 poc 02 poc poc

Tool used

Manual Review

Recommendation

  1. the time-lock mechanism for the sensitive functions
  2. the two-step process with the mandatory delay for the impact changes

openzeppelin consensys

telome commented 1 month ago

The claim that the vote functions do not emit events is incorrect. The claim that these functions allow enacting decisions without a delay is also incorrect are these functions are part of a multi-steps mechanism for governance decision. In any case, the points raised in this issue are outside the scope of this contest.

sabatha7 commented 1 month ago

@telome VoteDelegate.sol is nSLOC 61, and did show up at the scope see scope. apologising for any inconvenience caused. where you are referring to; "are part of a multi-steps mechanism", then I will attempt to say my fault it is not as easy to track everything without documentation wolf thanks. will try co-pilot next time. please send link for your claim, thank you. apologising for any inconvenience made.