Compromised or malicious vetoer can veto any proposals with unrestricted power #622
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L385-L405
Vulnerability details
Impact
The
settings.vetoer
, which is the first founder defined by theFounderParams
, can call the followingveto
function to veto any proposals that are not yet executed, which immediately blocks these proposals from execution. Because the vetoer is just one founder, which can just be a single EOA, the chance of losing its private key and being compromised is not low. There is also no guarantee that the vetoer will not become malicious in the future. When the vetoer becomes compromised or malicious, all critical proposals, such as for updating implementations or withdrawing funds from the treasury, can be vetoed so the negative impact can be very high.https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L385-L405
Proof of Concept
Please append the following tests in
test\Gov.t.sol
. These tests will pass to demonstrate the vetoer's power for vetoing pending, active, and queued proposals.Tools Used
VSCode
Recommended Mitigation Steps
A token supply threshold governance configuration can be added. Before the token supply exceeds this threshold, the vetoer can remain in full power for protecting against the 51% attack on the deployed DAO while the token supply is low.
After the token supply exceeds this threshold, the following changes can be considered for restricting the vetoer's power.
The text was updated successfully, but these errors were encountered: