User may force fail the action from the DAO:execute
#191
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-01
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/aragon/osx/blob/develop/packages/contracts/src/core/dao/DAO.sol#L186
https://github.com/aragon/osx/blob/develop/packages/contracts/src/plugins/governance/majority-voting/MajorityVotingBase.sol#L286
https://github.com/aragon/osx/blob/develop/packages/contracts/src/plugins/governance/majority-voting/MajorityVotingBase.sol#L459
Vulnerability details
Description
The
execute
function from theDAO.sol
contract allow to execution of any call to any address if the caller has appropriate permission. Some calls are expected to be always successfully executed, and some may revert andexecute
will continue the execution.The following code may call and handle call status.
Also, the function is expected to be used in a different scenario, where the caller may be a user, voter, etc. (See
MajorityVotingBase
). So the caller is not a trusted entity and that means any manipulation of the DAO call should be avoided.The problem is that caller may choose the gas with which the code is executed. If the child call execution spends enough gas then the user may choose that amount of gas, that child call frame fails, but the left gas is enough to successfully finish
DAO:execute
function.Please note, even though the
execute
pass all gas to the child call, actually only 63/64 gas is passed and 1/64 of gas is left on the parent call (EIP-150).Attack scenario
The DAO starts majority voting, and users who have DAO tokens may vote for the proposal. The proposal is to call one
target
protocol, which may fail in case of an inner reason. So the DAO set that the call may fail. The approximate gas that is needed to finish the call to thetarget
contract is700k
. A malicious voter callexecute
function with711.1k
of gas. Since 63/64 * 711.1 < 700, the requested call will fail. And the remaining gas is still sufficient to end theexecute
function logic.Impact
The user may forcefully fail the inner call from the
execute
function. Also, anyone who will use the usualeth_estimateGas
for the gas estimation for theexecute
function will accidentally calculate the amount of gas that will fail the call.Since majority voting is hard to process with many users involved, creating another proposal may create a lot of pain.
Recommended Mitigation Steps
Add the require that gas after the call is bigger than gas before / 64.
The text was updated successfully, but these errors were encountered: