Anubis - GovernorBravoDelegateStorage - Lack of Proper Access Control and Data Integrity #34
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Anubis
high
GovernorBravoDelegateStorage - Lack of Proper Access Control and Data Integrity
Summary
The GovernorBravoDelegateStorageV2 contract and its related storage contracts lack proper access control mechanisms for critical state variables and functions, potentially allowing unauthorized modification of governance parameters and proposal records.
Vulnerability Detail
Critical state variables such as votingDelay, votingPeriod, proposalThreshold, and mappings like proposals and latestProposalIds are public with no explicit setter functions containing access control mechanisms. This could allow unauthorized actors to modify governance settings or tamper with proposal records.
Impact
An attacker could exploit this vulnerability to disrupt the governance process by altering governance parameters or tampering with proposal records, potentially leading to incorrect governance decisions, loss of funds, or undermining the governance system's integrity.
Code Snippet
https://github.com/sherlock-audit/2024-01-olympus-on-chain-governance/blob/main/bophades/src/external/governance/abstracts/GovernorBravoStorage.sol#L91-L117
Tool used
Manual Review
Recommendation
Implement access control mechanisms such as the onlyAdmin modifier for functions that modify critical state variables or governance parameters. Ensure that state variables that hold sensitive data are either private or have controlled, restricted access.
Code Snippet for Fix:
By enforcing access control and ensuring the integrity of critical governance data, the contract can prevent unauthorized modifications, maintaining the governance system's integrity and intended behavior.
The text was updated successfully, but these errors were encountered: