Anyone can change the members of Security Council

Lines of code Vulnerability details Impact Anyone can change the members of security council by calling the function perform in the contract SecurityCouncilMemberSyncAction.sol as the function is open to all. Proof of Concept uint256 updateNonce = getUpdateNoncesecurityCouncil; if nonce =...

PROPOSAL DEADLINE IS NOT CHECKED DURING VOTE CASTING IN _countVote FUNCTION

Lines of code Vulnerability details Impact The SecurityCouncilNomineeElectionGovernorCountingUpgradeable is an abstract contract which is inherited by the SecurityCouncilNomineeElectionGovernor contract. The SecurityCouncilNomineeElectionGovernorCountingUpgradeable.countVote function is responsib...

Anyone can call perform in SecurityCouncilMemberSyncAction to update members of security council multisig

Lines of code Vulnerability details Impact Anyone can update members of security council multisig Proof of Concept SecurityCouncilMemberSyncAction contract has a perform function which is used to update members of security council multisig. File: SecurityCouncilMemberSyncAction.sol /// @notice...

Vote tokens of voters are not returned.

Lines of code Vulnerability details Impact In the docs and twitter spaces, it was mentioned that the voting tokens will be given back to the voters after the Election has ended. But no logic is implemented anywhere in the repo. This can cause voters to lose their valuable voting tokens which can...

otherCohort() is not returning different value when the Election has ended.

Lines of code Vulnerability details Impact In SecurityCouncilNomineeElectionGovernor.sol when the otherCohort function is called, it should return the otherCohort. But it is not the case because it returns the cohort at electionIndexToCohort at electionCount - 2 which is only updated when another...

New election can be created when another election is running.

Lines of code Vulnerability details Impact In the SecurityCouncilNomineeElectionGovernor.sol When calling createElection function, there is this check called requireLastMemberElectionHasExecuted which checks if the last election has executed. But this is wrong, the check is done by checking if th...

Security council election are vulnerable to signature replay attack

Lines of code Vulnerability details Impact SecurityCouncilNomineeElectionGovernor and SecurityCouncilMemberElectionGovernor contracts both inherit castVoteWithReasonAndParamsBySig function from the base GovernorUpgradeable contract, but implement custom countVote function respectively. The...

Possible DoS of Election Process

Lines of code Vulnerability details Impact Contract SecurityCouncilNomineeElectionGovernor allows contenders to participate in the election process as nominee over function addContender. The necessary condition for this process is that proposal was created before and has status...

Anyone can call the perform function because there is no access control

Lines of code L31-L75 Vulnerability details Impact Anyone can call the perform function. It can lead to unauthorized changes in the security council. Proof of Concept There is no access control in the perform function and it is marked "external". function performaddress securityCouncil, address...

No security council member can be proposed for removal using the propose function because it will always return MemberNotFound

Lines of code L134-L139 Vulnerability details Impact No security council member can be proposed for removal. Proof of Concept Going by the Arbitrum DAO constitution, a security council member cannot belong to first and second cohort at the same time. A security council member can either be in the...

Invalid startDate check in SecurityCouncilNomineeElectionGovernorTiming contract

Lines of code Vulnerability details Summary The SecurityCouncilNomineeElectionGovernorTiming contract has an invalid startDate check in the SecurityCouncilNomineeElectionGovernorTiminginit function. The check ensures that the startDate is in the future, but it does not check that the startDate is...

Governor relay() functions can be used to bypass voting an directly run critical SecurityCouncilManager functions

Lines of code https://github.com/ArbitrumFoundation/governance/blob/c18de53820c505fc459f766c1b224810eaeaabc5/src/security-council-mgmt/governors/SecurityCouncilNomineeElectionGovernor.sol...

replaceMember&rotateMember; has no voting process

Lines of code Vulnerability details Impact The execution of the two methods replaceMember&rotateMember does not implement the voting process, which will violate the provisions of the following articles Address rotation: As a practical matter, a council member can rotate one of their own keys. Thi...

Claim reward can be inaccessible if msg.sender is a smart contract with no fallback/receive function

Lines of code Vulnerability details Impact When calling claim on LendingLedger, the claim reward can be inaccessible if msg.sender is a smart contract with no fallback/receive function. Indeed, msg.sender.callvalue: cantoToSend"" would fail and the claim would revert, not allowing the user to...

GovernanceChainSCMgmtActivationAction : TIMELOCK_CANCELLER_ROLE is not set to the newEmergencySecurityCouncil

Lines of code Vulnerability details Impact newEmergencySecurityCouncil will not have the TIMELOCKCANCELLERROLE. Proof of Concept GovernanceChainSCMgmtActivationAction has the function perform which will be used to activate elections on Arbitrum One. while the function set and revoke the...

Absence of zero address checks for roles passed to the initialize function.

Lines of code Vulnerability details Impact The initialize function accepts various roles as part of the roles parameter SecurityCouncilManagerRoles. However, it doesn't validate whether any of these role addresses are set to the zero address address0. This omission might result in inadvertently...

Missing __Governor_init() call in SecurityCouncilMemberRemovalGovernor's initialize() function

Lines of code Vulnerability details Bug Description The SecurityCouncilMemberRemovalGovernor contract inherits Openzeppelin's GovernorUpgradeable: SecurityCouncilMemberRemovalGovernor.solL17-L19 contract SecurityCouncilMemberRemovalGovernor is Initializable, GovernorUpgradeable, However, in its...

electionToTimestamp() might return incorrect timestamps depending on the day of the first election

Lines of code Vulnerability details Bug Description For nominee elections, election dates are determined using the the electionToTimestamp function in the SecurityCouncilNomineeElectionGovernorTiming module. When SecurityCouncilNomineeElectionGovernor is initialized after deployment, the first...

Missing validation to ensure that the _l2CoreGovTimelock parameter is not the zero address in the initialize function

Lines of code Vulnerability details Impact The initialize function accepts a parameter l2CoreGovTimelock and does check if it's a contract address using Address.isContract. However, there's no explicit check to ensure that l2CoreGovTimelock is not the zero address...

Missing validation for the _l1TimelockMinDelay parameter in the constructor to ensure it's within a reasonable or expected range.

Lines of code Vulnerability details Impact The constructor accepts a parameter l1TimelockMinDelay and assigns it to l1TimelockMinDelay without performing any validation checks. This means potentially erroneous or extreme values can be set, which could cause undesired behaviors in the system or op...

L1SCMgmtActivationAction does not check executor role of new and prev emergency security council

Lines of code Vulnerability details Proof of Concept GovernanceChainSCMgmtActivationAction.sol checks that the newEmergencySecurityCouncil has a upgradeExecutor role whereas the prevEmergencySecurityCouncil does not have a upgradeExecutor role. GovernanceChainSCMgmtActivationAction.sol // confirm...

newEmergencySecurityCouncil in GovernanceChainSCMgmtActivationAction.sol is not given the TIMELOCK_CANCELLER_ROLE

Lines of code Vulnerability details Proof of Concept GovernanceChainSCMgmtActivationAction.sol checks that the prevEmergencySecurityCouncil has the TIMELOCKCANCELLERROLE first. Then, the role is revoked from the prevEmergencySecurityCouncil. In the last few lines, the function makes sure that the...

SecurityCouncilManager : removeMember does not make sure that the member is removed sucessfully.

Lines of code Vulnerability details Impact Incorrect information emitted as removed address. Remover would be thinking that they have successfully removed the harm causing cohort members, but still they are sitting inside the council. This is not good given the nature of the harmed action that...

currentCohort FUNCTION SHOULD REVERT WHEN electionCount == 0 RATHER THAN RETURNING Cohort.FIRST

Lines of code Vulnerability details Impact In the SecurityCouncilNomineeElectionGovernor.currentCohort function is used to retrieve the current Cohort of the contract. For a cohort to be elected the election should be created with the respective proposal Id. But with in the function scope of...

Consider Disabling Inherited _cancel Function In The Governor Contracts

Lines of code Vulnerability details Impact The currently used openzeppelin upgradeable contracts dependency @openzeppelin/contracts-upgradeable is v4.7.3 The security council management contracts are inheriting the openzeppelin GovernorUpgradeable contracts to manage proposals. This version of...

The Owner of SecurityCouncilMemberElectionGovernor Can Replace Cohorts And Bypass The Election Process

Lines of code Vulnerability details Impact In SecurityCouncilManager contract: the cohorts members are replaced by election via replaceCohort function; the process goes as follows: 1. an election proposal is made by anyone after 6-months of the last election via...

SecurityCouncilNomineeElectionGovernor might have to wait for more than 6 months to create election again

Lines of code Vulnerability details Impact SecurityCouncilNomineeElectionGovernor might have to wait for more than 6 months to create election again Proof of Concept According to the document , security council election can be create every 6 months. Contract SecurityCouncilNomineeElectionGovernor...

prev emergency security council still has cancellor role in SecurityCouncilMgmtActivationAction

Lines of code Vulnerability details Description In the GovernanceChainSCMgmtActivationAction.perform function. This function is responsible for activating the new emergency security council and revoking the roles of the previous emergency security council. The bug occurs in the following line of...

Revert error in SecurityCouncilNomineeElectionGovernor.sol#_execute()

Lines of code Vulnerability details Impact Current implementation of SecurityCouncilNomineeElectionGovernor.solexecute will always revert whenever it is executed Proof of Concept 1. Take a look at SecurityCouncilNomineeElectionGovernor.solexecute 324: function execute 325: uint256 proposalId, 326...

Voters can vote on a single pool multiple times by redelegating

Lines of code Vulnerability details Impact Users should be able to have only one concurrent vote on a pool in GaugeController. When a user votes the weight of his vote is calculated using his userweight parameter and the slope and end time of his balance lock are used to calculate the bias for th...

If gov use removeGauge users who use votingPower for that gauge will lose their votingPower infinetly.

Lines of code Vulnerability details Impact When gov use removeGauge gauge's power changed to the 0, however there is no reset for user votePower which stored in voteuserpower mapping. Because of that users will lose their voting power. For example if a user give his 1000 votingPower to removedGau...

GaugeController._get_sum() returns wrong value, breaking vote accounting

Lines of code Vulnerability details Impact The function to account for past historic total gauge weights getsum is supposed to return the sum for the future week. Instead it returns the sum for the oldest updated week. The returned value is used in voteforgaugeweights to compute the sum after the...

No need to stack lend pool to take lendlaunger rewards

Lines of code Vulnerability details Impact Lending lenger give reward tokens to users if they lend their tokens to selected pools. Lendingledger give rewards as weekly and it records user's balance until end of the weekespacially thursday because 1 jan 1970 was thursday. But protocol records can ...

Delegate system can be used to increase voting power without resetting the lockEnd

Lines of code Vulnerability details Impact The added delegate mechanism allows increasing the voting power without resetting the lockEnd. Proof of Concept IncreaseAmount increases the locked amount of a msg.sender staked native in VotingEscrow and resets its lockEnd to block.timestamp + LOCKTIME...

Delegating older lock to a newer one does not allow to undelegate it

Lines of code Vulnerability details Impact User who accidentally delegates his lock to the newer one, will get his lock stuck. User won't be able to undelegate his lock, because function delegate will always revert. Please notice, that this is the different issue than previously reported:...

the _checkpoint_market may not work as expected when it called more than twice at least

Lines of code Vulnerability details Impact the checkpointmarket function in the lendingLedger.sol contract did not work as it expected when the caller make a call to the function for the third time. the checkpointmarket would called more than once to update the market, however the function will n...

If user has delegated someone when locktime expires his tokens will be stuck forever.

Lines of code Vulnerability details Impact tokens will be stuck forever if user's locktime expired when his delegatee someone differant than him. Because he cannot withdraw his money also he cannot delegate himself too because his lock expired.Also he cannot use increaseamount for lockexpired and...

GaugeController` allows for quick vote and withdraw

Lines of code Vulnerability details This issue was identified in the original Curve Finance audit, finding ID TOB-CURVE-DAO-004. It remains unresolved in the mkt.market implementation, but was fixed in the Curve implementation. Impact A malicious voter is able to use full voting power for multipl...

the claim function may underFlow when it calculate the claimEnd

Lines of code Vulnerability details Impact in the claim function there is possibility of the underflow which lead the transaction to revert, the function may underflow in this line uint256 claimEnd = Math.mincurrEpoch - WEEK, claimUpToTimestamp because the currEpoch will return the current epoch...

check for the reentrancy attack is missed in the claim function

Lines of code Vulnerability details Impact the function claim in the LendingLedger.sol will send native token $CANTO to the msg.sender by .call which it can be EOA or Contracts, because there is no any RA checks the caller can make double call in the same time to get himself more tokens reward th...

Unsafe typecasting can lead to tokens being locked in the contract

Lines of code Vulnerability details Impact In the createLock function the amount is calculated by casting the uint256 value to int128 in an unsafe way. Specifically the locked.amount is calculated as: locked.amount += int128int256value; could result in a negative value for locked.amount. For...

Potential Overflow Bug in sync_ledger Function

Lines of code Vulnerability details Impact The syncledger function in the provided Solidity smart contract is vulnerable to potential overflow issues when processing a large value for the delta parameter. Depending on the magnitude of the delta value, the contract may encounter various undesired...

Delegation empowers more voting weight than expected

Lines of code Vulnerability details Description and Impact The user's voting power decreases linearly from the moment of the lock. To prevent this decrease, users can delegate their voting power to a new wallet. Here is an example scenario illustrating this: 1. The user owns two wallets, Wallet A...

Delegated Votes Blocking Delegator Undelegation

Lines of code Vulnerability details Impact Once a delegator has delegated their votes to a delegatee, and the delegatee employs those votes in an ongoing proposal, the delegator loses the ability to undelegate their votes. VotingEscrow::delegate is used to delegate user A's votes to User B. Once...

Decayed voting power can be restored by delegating to newer lock

Lines of code Vulnerability details Impact Delegation to newer lock updates slope and bias of delegatee according to new delegated amount and lengthier lock time which leads to decayed voting power from delegator older lock to be restored // @audit - slope and bias being updated according to...

User funds can be lost

Lines of code Vulnerability details Impact User funds sent by users can be lost forever Proof of Concept The contract LendingLedger.sol implements the function receive external payable to allow to the protocol to deposit the Canto used in the expected behaviour. But since the receive external...

User can claim most of the rewards for a lending market by depositing cNote for just 2 blocks / epoch

Lines of code Vulnerability details Impact For a user to receive rewards for supplying cNote in a lending market LM, he only needs to have supplied the cNote at the end of an epoch. Users staking for the whole duration of an epoch get 0 benefits, compared to users who supply only at the end of th...

User is able to delegate to delegatee with shorter lock when calling increaseAmount()

Lines of code Vulnerability details Impact When a user "user A" calls increaseAmount, if he had previously delegated his lock to another user "delegatee" this would update the end of the lock for "user A" while increasing the amount of delegated for the other user aka "delegatee". This is...

User point history for first epoch remains empty

Lines of code Vulnerability details Impact balanceOfAt will not work correctly if the block number queried is related to user's first epoch. Proof of Concept VotingEscrow.solL142-L149 first assigns userOldPoint to userPointHistoryaddruEpoch + 1 if uEpoch==0 and then always assigns userNewPoint to...

Failed transfer with low level call could be overlooked

Lines of code Vulnerability details Impact In LendingLedger.sol and votingEscrow.sol, low level call made using the call, According to the Solidity docs, "The low-level functions call, delegatecall and staticcall return true as their first return value if the account called is non-existent, as pa...