You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Critical parameters like addresses and sanity checks of values lack input validation e.g constructor in GovernanceBravoDelegator lacks input validation on all passed-in parameters,
Vulnerability Detail
Take for example the constructor in GovernanceBravoDelegator .sol parameters are not validated as suggested in Compound audit Medium finding, and olympus uses compound governance
Impact
Not checking values allows setting of address to address(0), e.g timelock, ohm address, kernel implementation can be set to address(0).
uint256 votingPeriod_, uint256 votingDelay_, uint256 proposalThreshold_ can be set to arbitrary values that makes the voting module not work or not work as expected. These need to be sanity checked and bounded
Consider bounding inputs to reasonable ranges and excluding certain values, such as address(0) or uint256(0) from being successfully passed in. This will reduce the surface for error when using these functions.
MatricksDeCoder
medium
..
Summary
Critical parameters like addresses and sanity checks of values lack input validation e.g constructor in GovernanceBravoDelegator lacks input validation on all passed-in parameters,
Vulnerability Detail
Take for example the constructor in GovernanceBravoDelegator .sol parameters are not validated as suggested in Compound audit Medium finding, and olympus uses compound governance
Impact
Not checking values allows setting of address to address(0), e.g timelock, ohm address, kernel implementation can be set to address(0).
uint256 votingPeriod_, uint256 votingDelay_, uint256 proposalThreshold_ can be set to arbitrary values that makes the voting module not work or not work as expected. These need to be sanity checked and bounded
Code Snippet
https://github.com/sherlock-audit/2024-01-olympus-on-chain-governance/blob/main/bophades/src/external/governance/GovernorBravoDelegator.sol#L10
Tool used
Manual Review
Recommendation
Consider bounding inputs to reasonable ranges and excluding certain values, such as address(0) or uint256(0) from being successfully passed in. This will reduce the surface for error when using these functions.
Duplicate of #21
The text was updated successfully, but these errors were encountered: