Malicious user can create an harmful proposal and execute it by setting a very low quorum . Which can lead to very bad consequences .
When creating a proposal, quorum is calculation logic looks like this :
// get the quorum requirement for this proposal. The quorum requirement is equal to
// the greatest quorum item in the proposal
uint256 quorum;
for (uint256 i = 0; i < targets.length; i++) {
// function selector should be the first 4 bytes of the calldata
bytes4 selector = _getSelector(calldatas[i]);
uint256 unitQuorum = _quorums[targets[i]][selector];
// don't assume baseQuorum is the highest
unitQuorum = unitQuorum == 0 ? baseQuorum : unitQuorum;
if (unitQuorum > quorum) {
quorum = unitQuorum;
}
}
Here , calculating quorum depends fully on user provided nonvalidated parameters . Also there is no check if quorum is below basequorum . A malicious user can provide malicious data and can create a proposal with a very low quorum and eventually execute it with a small voting power .
manual review
Stictly maintain baseQuorum .
check if quorum is less then baseQuorum and revert if it is smaller .
Governance
The text was updated successfully, but these errors were encountered:
All reactions