Skip to content

Commit

Permalink
fix(protocol): fix governor bravo vulnerability (#15947)
Browse files Browse the repository at this point in the history
Co-authored-by: Keszey Dániel <[email protected]>
  • Loading branch information
adaki2004 and Keszey Dániel authored Feb 20, 2024
1 parent f53766b commit a631be6
Showing 1 changed file with 27 additions and 1 deletion.
28 changes: 27 additions & 1 deletion packages/protocol/contracts/L1/gov/TaikoGovernor.sol
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,15 @@ import "../../common/OwnerUUPSUpgradable.sol";

contract TaikoGovernor is
OwnerUUPSUpgradable,
GovernorUpgradeable,
GovernorCompatibilityBravoUpgradeable,
GovernorVotesUpgradeable,
GovernorVotesQuorumFractionUpgradeable,
GovernorTimelockControlUpgradeable
{
uint256[50] private __gap;

error TG_INVALID_SIGNATURES_LENGTH();

function init(
IVotesUpgradeable _token,
TimelockControllerUpgradeable _timelock
Expand Down Expand Up @@ -62,6 +63,31 @@ contract TaikoGovernor is
return super.propose(targets, values, calldatas, description);
}

/// @notice An overwrite of GovernorCompatibilityBravoUpgradeable's propose() as that one does
/// not checks the length of signatures equal to calldatas.
/// See vulnerability description here:
/// https://github.com/taikoxyz/taiko-mono/security/dependabot/114
/// See fix in OZ 4.8.3 here:
/// https://github.com/OpenZeppelin/openzeppelin-contracts/blob/0a25c1940ca220686588c4af3ec526f725fe2582/contracts/governance/compatibility/GovernorCompatibilityBravo.sol#L72
function propose(
address[] memory targets,
uint256[] memory values,
string[] memory signatures,
bytes[] memory calldatas,
string memory description
)
public
virtual
override(GovernorCompatibilityBravoUpgradeable)
returns (uint256)
{
if (signatures.length != calldatas.length) revert TG_INVALID_SIGNATURES_LENGTH();

return GovernorCompatibilityBravoUpgradeable.propose(
targets, values, signatures, calldatas, description
);
}

function supportsInterface(bytes4 interfaceId)
public
view
Expand Down

0 comments on commit a631be6

Please sign in to comment.