Lines of code
<https://github.com/code-423n4/2023-12-autonolas/blob/2a095eb1f8359be349d23af67089795fb0be4ed1/governance/package.json#L28&gt;
<https://github.com/OpenZeppelin/openzeppelin-contracts/blob/0a25c1940ca220686588c4af3ec526f725fe2582/contracts/governance/Governor.sol#L263&gt;
<https://github.com/OpenZeppelin/openzeppelin-contracts/blob/0a25c1940ca220686588c4af3ec526f725fe2582/contracts/governance/compatibility/GovernorCompatibilityBravo.sol#L107&gt;

Vulnerability details

Impact

The GovernorOLAS contract inherits from OpenZeppelin’s GovernorCompatibilityBravo v4.8.3, which has a known vulnerability in the proposal creation process that can be exploited to halt proposals sent to the governor.

The root cause of this vulnerability is the exposure of the cancel() function. This can be exploited by a malicious user by frontrunning a call to propose() in the mempool. The attacker can submit the exact same proposal and then call cancel() on their proposal, effectively blocking the original proposal.

This vulnerability can lead to a denial of service attack on the governance system, preventing legitimate proposals from being processed.

For more details, refer to OpenZeppelin’s security advisory and this vulnerability report.

Proof of Concept

Consider the following scenario:

1. Alice creates a proposal by calling the propose() function.
2. Bob, a malicious user, sees Alice’s transaction in the mempool and submits the same transaction with a higher gas price.
3. Bob’s transaction is executed before Alice’s.
4. Alice’s transaction fails since the proposal already exists.
5. Bob then calls the cancel() function on his proposal, blocking its execution.

Tools Used

Manual review

Recommended Mitigation Steps

Upgrade @openzeppelin/contracts to version v4.9.1 or later, which introduces opt-in frontrunning protection.

Assessed type

Governance

---

The text was updated successfully, but these errors were encountered:

All reactions