DAO vulnerability: setExecutedCount method issue

[zzooppii]

Describe the bug

• Community member, Black Cow reported a vulnerability that occurs due to missing access control in the setExecutedCount method.

Configuration

• Severity: High

Impact

1. When the variable of atomicExecute is executed as false during createAgenda, the executeStartFrom value of the agenda is adjusted so that a specific function can be skipped and executed when there are multiple functions. Through this, when there are multiple agendas to execute, the execution of functions except for the last function can be adjusted.

2. If the agenda is maliciously executed so that the last function always fails, the agenda can be continuously executed.

Recommendation

• When creating an Agenda, change the function so that the atomicExecute variable can only receive true, thereby preventing partial execution of the Agenda items.

Exploit Scenario

Demo

[zzooppii]

@blackcow1987 3,300 TON has been paid as bounty

[zzooppii]

Problem function : https://github.com/tokamak-network/tokamak-dao-contracts/blob/main/contracts/dao/DAOAgendaManager.sol#L389-L392

[zzooppii]

Fix Bug Commit : https://github.com/tokamak-network/ton-staking-v2/commit/1457d3733570e4905c9d15f863c9bfeebf673d82

[suahnkim]

this issue will be closed when DAO is upgraded on the mainnet