Concurrent Proposals with ENS Updates

Issue

On 2024-06-18 OpenZeppelin identified a potential race condition between active proposals 258 and 259 which both update the v3-official-markets record of the v3-additional-grants.compound-community-licenses.eth domain.

Impact

If both proposals are enacted, the ENS record changes made by the first executed proposal will be replaced by the changes of the second executed proposal using the setText method on the ENS Resolver (see step 5 of each respective proposal). As a result, the base symbol and Comet contract address of the first executed proposal will be missing from the v3-official-markets record until set by a subsequently enacted proposal that updates the record to include the missing values.

Cause

Both proposals call the setText method of the ENS Resolver directly, which replaces the current value with a new value, without reading and modifying the current value before calling setText.

Remedy

A proposal to add a USDT Comet market on Arbitrum will be proposed for a governance vote next week after voting ends for proposals 258 and 259. This proposal will include an ENS record update that will resolve any missing values as a result of enacting both concurrent proposals. If this new proposal fails to be enacted, subsequent proposals may resolve the missing ENS record values.

I’ll share suggestions for prevention methods in a separate reply to this post.

New Race Condition Between Proposals 262 and 265

Issue

On 2024-06-22 OpenZeppelin identified a potential race condition between active proposals 262 and 265 which both update the v3-official-markets record of the v3-additional-grants.compound-community-licenses.eth domain.

Impact

If proposal 265 is enacted and proposal 262 fails, subsequent execution of proposal 265 will add the Arbitrum USDT Comet Market address of the failed proposal as an official market in the v3-official-markets ENS record.

If both proposals are enacted and proposal 265 is executed first, the ENS record changes made by the first executed proposal will be replaced by the changes of the second executed proposal effectively removing the Polygon USDT Comet Market address from the v3-official-markets ENS record.

Cause

Both proposals call the setText method of the ENS Resolver directly, which replaces the current value with a new value, without reading and modifying the current value before calling setText. Calling setText directly as a proposal instruction requires that the record value be determined no later than the time of proposal. At the time proposal 265 was proposed, it was assumed that proposal 262 would pass and execute before proposal 265.

Remedy

If these risks are realized, a new proposal is needed to correct the ENS record.

Prevention

• Wait until all proposals that update the ENS record using setText directly have either executed or failed before proposing an update to the ENS record.
• To allow for any number of concurrent proposals to update the ENS record without adverse effects, all pending proposals that update the ENS record must determine the setText value at time of proposal execution using an audited contract method that does the following:
  1. reads the current ENS record JSON value
  2. identifies where in that JSON value the new market should be added
  3. creates a new valid JSON value with the new market inserted
  4. uses setText to update the record to the new value

Thanks for the feedback. Both proposals reached the quorum, so there won’t be any problems.