Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Governance relies on current totalSupply of bHermes when calculate proposalThresholdAmount and quorumVotesAmount #179

Open
code423n4 opened this issue Jun 21, 2023 · 8 comments
Open

Governance relies on current totalSupply of bHermes when calculate proposalThresholdAmount and quorumVotesAmount #179

code423n4 opened this issue Jun 21, 2023 · 8 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-40 satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/governance/GovernorBravoDelegateMaia.sol#L87-L93

Vulnerability details

Impact

As people mint bHermes, bHermesVotes' totalSupply grows. And quorumVotesAmount to execute proposal also grows. But it shouldn't, because new people can't vote for it. This behavior adds inconsistency to voting process, because changes threshold after creating proposal.

Proof of Concept

Here you can see that Governance fetches current totalSupply:
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/governance/GovernorBravoDelegateMaia.sol#L87-L93

    function getProposalThresholdAmount() public view returns (uint256) {
        return govToken.totalSupply() * proposalThreshold / DIVISIONER;
    }

    function getQuorumVotesAmount() public view returns (uint256) {
        return govToken.totalSupply() * quorumVotes / DIVISIONER;
    }

bHermes is ERC4626DepositOnly and mints new govToken when user calls deposit() or mint(), thus increasing totalSupply:
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/hermes/bHermes.sol#L123-L133

    function _mint(address to, uint256 amount) internal virtual override {
        gaugeWeight.mint(address(this), amount);
        gaugeBoost.mint(address(this), amount);
        governance.mint(address(this), amount);
        super._mint(to, amount);
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Add parameter totalSupply to Proposal struct and use it instead of current totalSupply in functions getProposalThresholdAmount() and getQuorumVotesAmount()

Assessed type

Governance
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 21, 2023
code423n4 added a commit that referenced this issue Jun 21, 2023
@code423n4
T1MOH issue #179
4f6f7d0
@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Jul 9, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Jul 9, 2023

trust1995 marked the issue as primary issue

@c4-judge c4-judge mentioned this issue Jul 9, 2023
Closed
@c4-judge
Copy link
Contributor

trust1995 marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jul 11, 2023
@c4-sponsor
Copy link

0xLightt marked the issue as sponsor confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jul 11, 2023
@c4-judge
Copy link
Contributor

trust1995 marked issue #180 as primary and marked this issue as a duplicate of 180

@c4-judge c4-judge added duplicate-180 and removed primary issue Highest quality submission among a set of duplicates labels Jul 25, 2023
@Nadinnnn Nadinnnn mentioned this issue Jul 26, 2023
Closed
@0xLightt
Copy link

I believe this is valid as it is something we want to address (save the totalSupply at the time of the creation of every proposal) and it is not a duplicate of #180.

@c4-judge c4-judge reopened this Jul 27, 2023
@c4-judge
Copy link
Contributor

trust1995 marked the issue as not a duplicate

@c4-judge
Copy link
Contributor

trust1995 marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Jul 27, 2023
@0xLightt 0xLightt mentioned this issue Aug 9, 2023
Merged
@0xLightt
Copy link

0xLightt commented Sep 7, 2023

Addressed https://github.com/Maia-DAO/eco-c4-contest/tree/179

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-40 satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@code423n4 @c4-judge @c4-sponsor @0xLightt @C4-Staff