Report: Recursive call vulnerability in DBVN.sol

The DBVN has a minor recursive call vulnerability, see this question on ethereum.stackexchange.com

The recursive call “bug” comes from that when a contract calls another contract, the other contract could include code to call the original function on the calling contract, and this second recursive call would be processed before the first one was finished.

A look at the DBVN code

Since the DBVN changes the state of the proposal to

p.executed = true

only after it has called the recipient

p.recipient.call.value(p.amount)(transactionBytecode)

the recipient could perform a recursive call attack.

This is a minor vulnerability since the DBVN is able to audit the code of recipient (in the case recipient is a contract).

The default function

Smart-contracts on Ethereum have a default function, also called a fallback function, and this is what causes recursive call bugs.

With the DBVN, a contract could do a recursive call attack with this fallback function,

function() {
for(uint i = 0; i<100; i++) {
        DBVN.executeProposal(proposalNumber, transactionBytecode);
    }
}

Fix this bug by moving p.executed = true

To fix this, put p.recipient.call.value()() after p.executed = true

/* execute result */ 
if (p.currentResult > majorityMargin) {
    p.proposalPassed = true;
    p.executed = true;
    p.recipient.call.value(p.amount)(transactionBytecode);

Links:

Lessons on Preparation for Disaster from the DAO

More Ethereum Attacks: Race-To-Empty is the Real Deal

What is a recursive calling vulnerability?

Analysis of the DAO exploit

Add default re-entry protection with opt-out keyword. · Issue #662 · ethereum/solidity

Language-based fix for "Callstack attack" bug · Issue #656 · ethereum/solidity

Smart Contract Security - Ethereum Blog