Malicious user can create an harmful proposal and execute it by setting a very low quorum .

2023-07-2800:00:00

Code4rena

github.com

malicious proposal

low quorum

governance

vulnerability

mitigation

JSON

Lines of code

Vulnerability details

Impact

Malicious user can create an harmful proposal and execute it by setting a very low quorum . Which can lead to very bad consequences .

Proof of Concept

When creating a proposal, quorum is calculation logic looks like this :

      // get the quorum requirement for this proposal. The quorum requirement is equal to
        // the greatest quorum item in the proposal
        uint256 quorum;

        for (uint256 i = 0; i &lt; targets.length; i++) {

            // function selector should be the first 4 bytes of the calldata
            bytes4 selector = _getSelector(calldatas[i]);

            uint256 unitQuorum = _quorums[targets[i]][selector];

            // don't assume baseQuorum is the highest

            unitQuorum = unitQuorum == 0 ? baseQuorum : unitQuorum;
            if (unitQuorum &gt; quorum) {
                quorum = unitQuorum;
            }
        }

Here , calculating quorum depends fully on user provided nonvalidated parameters . Also there is no check if quorum is below basequorum . A malicious user can provide malicious data and can create a proposal with a very low quorum and eventually execute it with a small voting power .

Tools Used

manual review

Recommended Mitigation Steps

Stictly maintain baseQuorum .
check if quorum is less then baseQuorum and revert if it is smaller .

Assessed type

Governance

The text was updated successfully, but these errors were encountered:

All reactions

JSON