Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User may force fail the action from the DAO:execute #191

Open
code423n4 opened this issue Mar 10, 2023 · 4 comments
Open

User may force fail the action from the DAO:execute #191

code423n4 opened this issue Mar 10, 2023 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-01 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/aragon/osx/blob/develop/packages/contracts/src/core/dao/DAO.sol#L186
https://github.com/aragon/osx/blob/develop/packages/contracts/src/plugins/governance/majority-voting/MajorityVotingBase.sol#L286
https://github.com/aragon/osx/blob/develop/packages/contracts/src/plugins/governance/majority-voting/MajorityVotingBase.sol#L459

Vulnerability details

Description

The execute function from the DAO.sol contract allow to execution of any call to any address if the caller has appropriate permission. Some calls are expected to be always successfully executed, and some may revert and execute will continue the execution.

The following code may call and handle call status.

address to = _actions[i].to;
(bool success, bytes memory response) = to.call{value: _actions[i].value}(
    _actions[i].data
);

if (!success) {
    // If the call failed and wasn't allowed in allowFailureMap, revert.
    if (!hasBit(_allowFailureMap, uint8(i))) {
        revert ActionFailed(i);
    }

    // If the call failed, but was allowed in allowFailureMap, store that
    // this specific action has actually failed.
    failureMap = flipBit(failureMap, uint8(i));
}

Also, the function is expected to be used in a different scenario, where the caller may be a user, voter, etc. (See MajorityVotingBase). So the caller is not a trusted entity and that means any manipulation of the DAO call should be avoided.

The problem is that caller may choose the gas with which the code is executed. If the child call execution spends enough gas then the user may choose that amount of gas, that child call frame fails, but the left gas is enough to successfully finish DAO:execute function.

Please note, even though the execute pass all gas to the child call, actually only 63/64 gas is passed and 1/64 of gas is left on the parent call (EIP-150).

Attack scenario

The DAO starts majority voting, and users who have DAO tokens may vote for the proposal. The proposal is to call one target protocol, which may fail in case of an inner reason. So the DAO set that the call may fail. The approximate gas that is needed to finish the call to the target contract is 700k. A malicious voter call execute function with 711.1k of gas. Since 63/64 * 711.1 < 700, the requested call will fail. And the remaining gas is still sufficient to end the execute function logic.

Impact

The user may forcefully fail the inner call from the execute function. Also, anyone who will use the usual eth_estimateGas for the gas estimation for the execute function will accidentally calculate the amount of gas that will fail the call.

Since majority voting is hard to process with many users involved, creating another proposal may create a lot of pain.

Recommended Mitigation Steps

Add the require that gas after the call is bigger than gas before / 64.

uint256 gasBefore;
// Do call...
require(gasleft() > gasBefore/64);
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 10, 2023
code423n4 added a commit that referenced this issue Mar 10, 2023
@code423n4
V_B issue #191
68c14f6
@c4-judge
Copy link

0xean marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Mar 12, 2023
@c4-judge c4-judge mentioned this issue Mar 12, 2023
Closed
@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Mar 14, 2023
@c4-sponsor
Copy link

novaknole20 marked the issue as sponsor confirmed

@c4-judge
Copy link

0xean marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Mar 18, 2023
@c4-judge
Copy link

0xean marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Mar 18, 2023
@C4-Staff C4-Staff added the M-01 label Mar 28, 2023
@indeqs indeqs mentioned this issue May 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-01 primary issue Highest quality submission among a set of duplicates satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@code423n4 @c4-judge @c4-sponsor @C4-Staff