shw
Most of the proposal contracts have a parameterize function for setting the proposal parameters, and these functions are protected only by the notCurrent modifier. When the proposal is proposed through a lodgeProposal transaction, an attacker can front-run it, modify the proposal parameters, and let the community vote it down. As a result, the person proposing loses his fate deposit.
Referenced code:
DAO/Proposals/BurnFlashStakeDeposit.sol#L25-L37
DAO/Proposals/SetAssetApprovalProposal.sol#L21-L24
DAO/Proposals/ToggleWhitelistProposalProposal.sol#L22-L28
DAO/Proposals/UpdateMultipleSoulConfigProposal.sol#L40-L61
DAO/Proposals/WithdrawERC20Proposal.sol#L26-L32
DAO/ProposalFactory.sol#L74-L78
Only allow the creator of the proposal to modify the parameters.
The text was updated successfully, but these errors were encountered:
All reactions