Skip to content
This repository has been archived by the owner on Jul 21, 2024. It is now read-only.

HonorLt - Spam proposals #181

Closed
sherlock-admin2 opened this issue Jan 15, 2024 · 1 comment
Closed

HonorLt - Spam proposals #181

sherlock-admin2 opened this issue Jan 15, 2024 · 1 comment
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Jan 15, 2024
edited by sherlock-admin
Loading

HonorLt

medium

Spam proposals

Summary

An infinite number of active proposals can be initiated by any counselor making it more difficult to challenge them.

Vulnerability Detail

Members can submit proposals to execute transactions in TelcoinDistributor:

    function proposeTransaction(
        uint256 totalWithdrawl,
        address[] memory destinations,
        uint256[] memory amounts
    ) external onlyCouncilMember whenNotPaused {
        // Pushing the proposed transaction to the array
        proposedTransactions.push(
            ProposedTransaction({
                totalWithdrawl: totalWithdrawl,
                destinations: destinations,
                amounts: amounts,
                timestamp: uint64(block.timestamp),
                challenged: false,
                executed: false
            })
        );

        // Emitting an event after proposing a transaction
        emit TransactionProposed(proposedTransactions.length - 1, _msgSender());
    }

If one of the members disagrees with the transaction that member can challenge the distribution, this way rejecting it.
However, no limits exist on how many active proposals can be submitted. A malicious actor can submit thousands of copy-paste proposals, especially on chains like Polygon where gas cost is meager. Legit members will have a hard time filtering and challenging all these proposals.

Impact

If evil counselors want to execute some action, they can instantly spam proposals, before their role is revoked. Then white-hat counselors will need to challenge all these proposals fighting a gas war.

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/protocol/core/TelcoinDistributor.sol#L78-L106

Tool used

Manual Review

Recommendation

Consider introducing global / per-account limits on proposals. Another useful layer of protection would be to check if the original proposer still has a council member role when executing the transaction.
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Excluded Excluded by the judge without consulting the protocol or the senior labels Jan 19, 2024
This was referenced Jan 19, 2024
Closed
Closed
@sherlock-admin sherlock-admin changed the title Zany Mango Rattlesnake - Spam proposals HonorLt - Spam proposals Jan 29, 2024
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jan 29, 2024
@nevillehuang
Copy link
Collaborator

Invalid, a malicious council member will simply waste gas to perform this, given challenging proposal will not be affected since it is indexed O(1) from proposalTransactions mapping . Additionally, admin can simply increase challenge period, which applies its effects immediately.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nevillehuang @sherlock-admin @sherlock-admin2