An attacker can prevent a fair vote from completing in CollectionShutdown by frontrunning execute.
Vulnerability Detail
Since anyone can call cancel() in CollectionShutdown.sol it is possible to frontrun execution of execute() function, which allows an attacker to prevent a fair vote from being completed.
The number of votes reaches quorumVotes and canExecute becomes true,
Owner calls execute,
The attacker front-runs the Owner's transaction with their own, in which they call cancel,
The fair vote is cancelled, it needs to be started again, the attacker can do this as many times as they want since the attack doesn't require significant resources.
Impact
DoS of voting, users have to withdraw their votes and vote again, which in turn causes gas expenses
Tool used
Manual Review
Recommendation
To avoid these risks, in our opinion, one of the following solutions can be used:
Remove the ability for anyone to cancel the voting, delegate such rights either only to the Owner or, at the very least, to a collection holder, which will reduce the risks of such attack scenarios, but this only increases the cost of the attack, as the attacker would need to be a collection holder
To completely eliminate such risks - it is necessary to remove the cancel function as this is generally a strange solution, considering that one person can decide for all collection holders.
Cuddly Ocean Gibbon
Medium
Frontrun of execute can lead the DOS of voting
Summary
An attacker can prevent a fair vote from completing in
CollectionShutdown
by frontrunningexecute
.Vulnerability Detail
Since anyone can call
cancel()
inCollectionShutdown.sol
it is possible to frontrun execution ofexecute()
function, which allows an attacker to prevent a fair vote from being completed.https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/utils/CollectionShutdown.sol#L390-L405
Attack scenario:
quorumVotes
andcanExecute
becomestrue
,Owner
callsexecute
,Owner
's transaction with their own, in which they callcancel
,Impact
DoS of voting, users have to withdraw their votes and vote again, which in turn causes gas expenses
Tool used
Manual Review
Recommendation
To avoid these risks, in our opinion, one of the following solutions can be used:
Owner
or, at the very least, to a collection holder, which will reduce the risks of such attack scenarios, but this only increases the cost of the attack, as the attacker would need to be a collection holdercancel
function as this is generally a strange solution, considering that one person can decide for all collection holders.