Summary
LivepeerGovernor contract allows proposals with zero opinionated votes to succeed. Moreover, even a proposal with 1 wei "against" and 0 "for" votes can succeed if it reaches quorum via "abstain" votes.
Root causes
- Rounding down is introduced when calculating MathUtils.percOf(opinionatedVotes, quota).
- The
>= equation used to compare forVotes with the quorum-adjusted opinionatedVotes evaluates to, for example, 0 >= 0, and therefore results in _voteSucceeded returning true.
Why it's not an issue
- Using "abstain" votes to reach a quorum is known and expected behavior.
- The rounding issue has an impossibly low likelihood of being exploitable: the enforced voting period (currently set to 10 rounds) gives all participants sufficient time to cast opinionated votes and prevent any malicious proposal from passing.
- The issue is mitigated in real life by having as few as 2 wei more "against" votes than "for" votes.
Out of scope for bug bounty
Reports targeting GovernorCountingOverridable._voteSucceeded via abstain-only voting, zero-opinionated voting, or equal for/against voting are closed as known issues and not eligible for rewards under the Livepeer Immunefi bug bounty program.
References
Summary
LivepeerGovernor contract allows proposals with zero opinionated votes to succeed. Moreover, even a proposal with 1 wei "against" and 0 "for" votes can succeed if it reaches quorum via "abstain" votes.
Root causes
>=equation used to compareforVoteswith the quorum-adjustedopinionatedVotesevaluates to, for example,0 >= 0, and therefore results in_voteSucceededreturningtrue.Why it's not an issue
Out of scope for bug bounty
Reports targeting GovernorCountingOverridable._voteSucceeded via abstain-only voting, zero-opinionated voting, or equal for/against voting are closed as known issues and not eligible for rewards under the Livepeer Immunefi bug bounty program.
References