Concurrent Proposals with ENS Updates

New Race Condition Between Proposals 262 and 265

Issue

On 2024-06-22 OpenZeppelin identified a potential race condition between active proposals 262 and 265 which both update the v3-official-markets record of the v3-additional-grants.compound-community-licenses.eth domain.

Impact

If proposal 265 is enacted and proposal 262 fails, subsequent execution of proposal 265 will add the Arbitrum USDT Comet Market address of the failed proposal as an official market in the v3-official-markets ENS record.

If both proposals are enacted and proposal 265 is executed first, the ENS record changes made by the first executed proposal will be replaced by the changes of the second executed proposal effectively removing the Polygon USDT Comet Market address from the v3-official-markets ENS record.

Cause

Both proposals call the setText method of the ENS Resolver directly, which replaces the current value with a new value, without reading and modifying the current value before calling setText. Calling setText directly as a proposal instruction requires that the record value be determined no later than the time of proposal. At the time proposal 265 was proposed, it was assumed that proposal 262 would pass and execute before proposal 265.

Remedy

If these risks are realized, a new proposal is needed to correct the ENS record.

Prevention

  • Wait until all proposals that update the ENS record using setText directly have either executed or failed before proposing an update to the ENS record.
  • To allow for any number of concurrent proposals to update the ENS record without adverse effects, all pending proposals that update the ENS record must determine the setText value at time of proposal execution using an audited contract method that does the following:
    1. reads the current ENS record JSON value
    2. identifies where in that JSON value the new market should be added
    3. creates a new valid JSON value with the new market inserted
    4. uses setText to update the record to the new value
2 Likes