shw
Most of the functions with a governanceApproved modifier call flashGoverner.enforceTolerance to ensure the provided parameters are restricted to some range of their original values. However, in the governanceApproved modifier, flashGoverner.setEnforcement(true); is called after the function body is executed, and thus the changed values are not restricted during the function execution.
An attacker can exploit this bug to change some critical parameters to arbitrary values by flash governance decisions. The effect will last until the community executes another proposal to correct the values. In the meanwhile, the attacker may make use of the corrupted values to launch an attack.
Referenced code:
DAO/Governable.sol#L46-L57
Limbo.sol#L380-L381
Limbo.sol#L327-L329
Limbo.sol#L530
Limbo.sol#L628-L630
Rewrite the _governanceApproved function and the governanceApproved modifier as follows:
function _governanceApproved(bool emergency) internal {
bool successfulProposal = LimboDAOLike(DAO).successfulProposal(msg.sender);
if (successfulProposal) {
flashGoverner.setEnforcement(false);
} else if (configured) {
flashGoverner.setEnforcement(true);
flashGoverner.assertGovernanceApproved(msg.sender, address(this), emergency);
}
}
modifier governanceApproved(bool emergency) {
_governanceApproved(emergency);
_;
}
The text was updated successfully, but these errors were encountered:
All reactions