GOV-01M: Unsafe Balance Evaluation for Governance
Description:
The balanceOf evaluation of the Governance contract in turn invokes the balanceOf function of the RND liquid asset which can be flash-loaned for a particular governance instance.
Example:
// RND balanceOf = RND.balanceOf()
_accountBalance += IERC20Upgradeable(REGISTRY.getAddress("RND"))
.balanceOf(account);
return _accountBalance;Recommendation:
We advise the balanceOf evaluation to instead rely solely on immobile assets such as SM and the unclaimed vesting controller tokens to ensure it is reliant against flash-loan manipulations.
GOV-01M: Unsafe Balance Evaluation for Governance
Description:
The
balanceOfevaluation of theGovernancecontract in turn invokes thebalanceOffunction of theRNDliquid asset which can be flash-loaned for a particular governance instance.Example:
Recommendation:
We advise the
balanceOfevaluation to instead rely solely on immobile assets such asSMand the unclaimed vesting controller tokens to ensure it is reliant against flash-loan manipulations.