New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attackers can increase voting power by incentivizing #479
Comments
Nice idea, not sure if there's any way to avoid this Allowlist would cause centralization issue, and would be defeated by the bribes as well |
While I think the finding can be further developed. I have to concede that via bribes and incentives, governance can be skewed to act against the interest of the founders Whether this is good or bad per see, is not that relevant, however the system does allow delegation to a "malicious party" which would be able to obtain enough votes to do whatever they want. Notice that the veto system prevents this as well, so we could argue that removing Vetoing allows this, which is effectively another take on a 51% attack. Leaving as unique for the thought-provoking idea |
This is why veto power is granted to founders. Not an issue IMO and would introduce needless complexity + centralization going the blacklist route. |
Per the discussion above, taking into consideration that CodeArena is a end-user facing project, meaning our reports could be used to determine if a project is safe or not; Given the recent example of large scale bribes to influence a voting outcome While disagreeing as well with the solution of offering a Blocklist to prevent malicious actor, and agreeing that the finding should have been better written. I have to rationally concede that the ability to bribe governance can be used to extract value from the Treasury, a Vetoer may or may not offer protection at that time due to second order social consequences. Because of that, given the rules (Loss of Value conditional on externalities), given the precedents (one linked above, I'm sure there's many other), I still believe that this is a valid Medium Severity finding. Per the comment by the sponsor, a properly aligned Vetoer will be able to prevent most of these attacks, however I don't think that's sufficient to make the finding invalid |
Lines of code
https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L248-L297
Vulnerability details
馃帹聽Category
Governance
馃挜聽Impact
If the benefit to be gained from the outcome of the vote is less than the cost of obtaining the right to vote, the outcome of the vote is influenced
馃摑聽Proof of Concept
https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L248-L297
Vampire Attack Explained
https://finematics.com/vampire-attack-sushiswap-explained/
馃殰聽Tools Used
Manual
鉁吢燫ecommended Mitigation Steps
_castVote
function.馃懍聽Similar Issue
code-423n4/2022-05-aura-findings#278
The text was updated successfully, but these errors were encountered: