-
Notifications
You must be signed in to change notification settings - Fork 0
Tomo - [Tomo-M6] Attackers can increase voting power by incentivizing #74
Comments
We implemented veto power to ensure none of these attacks are issues. |
Escalate for 1 USDC
Ref: Vulnerability Detail above I understand what you said but, you can't be any denial about the fact that the attacker will cause all proposals to fail, effectively destroying the voting system. Therefore, I offered a way to prevent that attack. Also, this is an example from Code4rena, but I think it's enough things to prove this bug is a valid one. |
You've created a valid escalation for 1 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Escalation rejected. This is a known risk of token voting. |
This issue's escalations have been rejected! Watsons who escalated this issue will have their escalation amount deducted from their next payout. |
Tomo
medium
[Tomo-M6] Attackers can increase voting power by incentivizing
Summary
Attackers can increase voting power by incentivizing
Vulnerability Detail
There are a lot of cases of used bribes and incentives, governance to skewed to act against the interest of the founders
This is a good example of this issue
https://tribe.fei.money/t/fully-repay-fuse-bad-debt/4528
https://dialectic.ch/editorial/nouns-governance-attack-2
https://halborn.com/explained-the-beanstalk-hack-april-2022/
It is true that a properly aligned Vetoer will be able to prevent most of these attacks.
However, if attackers get a lot of votes, it is possible to vote not to let all proposals be executed, and the real governance system collapses
Impact
The proposal decision depends on the attacker
Code Snippet
https://github.com/sherlock-audit/2022-11-frankendao/blob/main/src/Staking.sol#L266-L281
https://github.com/sherlock-audit/2022-11-frankendao/blob/main/src/Staking.sol#L495-L501
https://github.com/sherlock-audit/2022-11-frankendao/blob/main/src/Governance.sol#L586-L600
Tool used
Manual Review
Recommendation
Implement the following to solve this problem
getVote()
andgetCommunityVotingPower()
would be zero for the blacklist accounts.stake()
anddelegate()
would return revert for the blacklisttokenId
.The text was updated successfully, but these errors were encountered: