origin-dollar icon indicating copy to clipboard operation
origin-dollar copied to clipboard
verified publisher icon OriginProtocol

Governor proposal creation may be blocked by frontrunning

Open naddison36 opened this issue 2 years ago • 3 comments

Open Zeppelin has issued the following security advisory:

Affected packages: >=4.3.0 <4.9.1 Patched version: 4.9.1

Origin's ousd-governance repo is using OZ v4.6.0. A modified versions of the OZ Governance contracts are being used.

Analysis needs to be done to see if the OZ change needs to be applied to the modified Origin governance contracts.

OpenZeppelin commit that addresses the issue: https://github.com/OpenZeppelin/openzeppelin-contracts/commit/d9474327a492f9f310f31bc53f38dbea56ed9a57

naddison36 avatar Jun 07 '23 09:06 naddison36

Added the commit that addresses the issue to above description

sparrowDom avatar Jun 07 '23 10:06 sparrowDom

The analysis: Our Governance contract that calls propose imports GovernorCompatibilityBravo. That one imports OZ's 4.6.0 Governor.

This means that our proposal creations could be front-run. Until we upgrade the contracts to 4.9.1 we are vulnerable to the attack.

sparrowDom avatar Jun 07 '23 10:06 sparrowDom

We will need to re-deploy the Governance contract:

sparrowDom avatar Jun 07 '23 15:06 sparrowDom