You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PR #10268 introduced a vulnerability and will get reverted on CR10.
Current Behavior
Not deployed.
More info:
Governance.sol:dequeueProposalIfReady(uint) (L1258-1294)
PR #10268 and PR #10324 introduce a new function dequeueProposalIfReady(uint proposalId) for the Governance.sol contract. The function is only called in Governance.sol:upvote on line 536 with the given proposalId and it can be called externally as it's marked public.
However, the function only checks if the dequeue time has been reached (e.g. last dequeue time + dequeue frequency) and if the given proposal has not yet expired. It does not take the queue order that is established through upvoting with voting power into account.
In contrary to dequeueProposalsIfReady, which pops the head proposals of the queue, it also only supports dequeueing a single proposal each time. It will set lastDequeue time and consequently block any other proposals from getting dequeued.
This vulnerability can be used to instantly dequeue a proposal without the need for upvotes, as well as block any normal proposals from getting dequeued by repeatedly proposing and dequeueing malicious or bogus proposals.
The text was updated successfully, but these errors were encountered:
Expected Behavior
PR #10268 introduced a vulnerability and will get reverted on CR10.
Current Behavior
Not deployed.
More info:
Governance.sol:dequeueProposalIfReady(uint) (L1258-1294)
PR #10268 and PR #10324 introduce a new function dequeueProposalIfReady(uint proposalId) for the Governance.sol contract. The function is only called in Governance.sol:upvote on line 536 with the given proposalId and it can be called externally as it's marked public.
However, the function only checks if the dequeue time has been reached (e.g. last dequeue time + dequeue frequency) and if the given proposal has not yet expired. It does not take the queue order that is established through upvoting with voting power into account.
In contrary to dequeueProposalsIfReady, which pops the head proposals of the queue, it also only supports dequeueing a single proposal each time. It will set lastDequeue time and consequently block any other proposals from getting dequeued.
This vulnerability can be used to instantly dequeue a proposal without the need for upvotes, as well as block any normal proposals from getting dequeued by repeatedly proposing and dequeueing malicious or bogus proposals.
The text was updated successfully, but these errors were encountered: