Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incomplete Pause Mechanism During L2 Transition #9

Open
hats-bug-reporter bot opened this issue Jan 16, 2025 · 1 comment
Open

Incomplete Pause Mechanism During L2 Transition #9

hats-bug-reporter bot opened this issue Jan 16, 2025 · 1 comment
Labels
invalid This doesn't seem right

Comments

@hats-bug-reporter
Copy link

Github username: --
Twitter username: --
HATS Profile: HATS Profile

Beneficiary: 0x8B4F8984F7C3ba74AC29bE63E094B194FD548704
Submission hash (on-chain): 0xbbd3d03dfbc763ac45be313cad48861a0519f5348fd51d88db9fce3cc7750fb4
Severity: medium

Description:
Description

Take a look at

Mento-0x2a1b9b1f6fa7c2e73815a7dff0e1688767382694/contracts/governance/locking/LockingBase.sol

Lines 449 to 454 in 2fe2367

function setL2TransitionBlock(uint256 l2TransitionBlock_) external onlyMentoLabs {
l2TransitionBlock = l2TransitionBlock_;
paused = true;
emit SetL2TransitionBlock(l2TransitionBlock_);
} 

function setL2TransitionBlock(uint256 l2TransitionBlock_) external onlyMentoLabs {
    l2TransitionBlock = l2TransitionBlock_;
    paused = true;
    emit SetL2TransitionBlock(l2TransitionBlock_);
}

The function's documentation states that it "Sets the L2 transition block number and pauses locking and governance", however, the implementation only effectively pauses the locking functionality. The pause flag is only checked in LockingBase's getWeekNumber function:

function getWeekNumber(uint32 blockNumber) public view returns (uint32) {
    require(!paused, "locking is paused");
    // ...
}

The MentoGovernor contract does not check this pause flag at all, meaning governance operations can still proceed even during the L2 transition period when they should be paused.

Attack Scenario

MentoLabs initiates L2 transition by calling setL2TransitionBlock
The locking contract is correctly paused, preventing any new locks or modifications
However, the governance contract remains fully operational
Malicious actors could:
Create new proposals during the transition period
Vote on existing proposals
Execute proposals
This could lead to governance actions being executed with potentially inconsistent state during the L2 transition
This breaks the intended security model where all operations should be stalled until after the transition block.

##Recommendation

Move the pause functionality to a separate contract that both LockingBase and MentoGovernor can inherit from:

abstract contract L2TransitionPausable {
    bool public paused;
    
    modifier whenNotPaused() {
        require(!paused, "Operations paused for L2 transition");
        _;
    }
}

Proof of Concept (PoC) File

N/A

Revised Code File (Optional)

N/A
@nvtaveras nvtaveras added the invalid This doesn't seem right label Jan 17, 2025
@nvtaveras
Copy link
Collaborator

Voting on a proposal is not possible since the functions used to calculate votes reference getWeekNumber. Also, getPastTotalSupply(), which is used for determining quorum. See https://github.com/mento-protocol/mento-core/blob/develop/contracts/governance/locking/LockingVotes.sol

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nvtaveras