Taiko - Masamune's results

Lines of code

https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/L1/gov/TaikoGovernor.sol#L6 https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/package.json#L38-L39

Vulnerability details

Impact

The TaikoGovernor.sol uses OZ "@openzeppelin/contracts-upgradeable/governance/compatibility/GovernorCompatibilityBravoUpgradeable.sol" version 4.8.2, which has a medium severity attached, that could lead to DoS in the case of proposal creation.

Proof of Concept

As you can see TaikoGovernor.sol uses "@openzeppelin/contracts-upgradeable/governance/compatibility/GovernorCompatibilityBravoUpgradeable.sol" and "@openzeppelin/contracts-upgradeable/governance/GovernorUpgradeable.sol" version 4.8.2 https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/package.json#L38-L39 but if we look closely on this version we can see that it has a medium severity https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5h3x-9wvq-w4m2 , that specifies that proposal can be easily front-run by anyone, which could lead to Dos. In the codebase there is no actual protection against it since in both propose functions the main OZ function is called with super keyword as can be seen here https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/L1/gov/TaikoGovernor.sol#L58 https://github.com/code-423n4/2024-03-taiko/blob/f58384f44dbf4c6535264a472322322705133b11/packages/protocol/contracts/L1/gov/TaikoGovernor.sol#L81-L85

Tools Used

Manual review

Recommended Mitigation Steps

Use the OZ library that has at least the version of 4.9.1, since that was the version that the problem was patched, to circumvent this issue.

Assessed type

Library