Snapshot.org - Proposal Space Confusion

Vulnerability Note

1 Summary

Snapshot.org is an off-chain gasless multi-governance client with easy to verify and hard to contest results. Project owners may use snapshot.org for off-chain governance by creating a dedicated space for their project and have users vote on proposals. Proposals are created by authorized users and are uniquely identified by an url in the form ://snapshot.org/#/<space>/proposal/<proposalID> where proposalID is an ipfs CID.

It was found, that, the web interface would not enforce that a proposal actually belongs to the space that is hinted in the URL. By changing the space in the URL a user can make a specific proposalID appear as if it was part of the space. The web interface even re-dresses parts of the foreign proposalID’s content to fit the target space hinted in the URL.

This may allow an attacker to create an URL that would re-dress a malicious proposalID and make it look like it is a valid proposal from another space in an attempt to convince users of a specific outcome of the vote for a proposal.

2 Details

2.1 Description

  1. attacker: create fake space
  2. attacker: create fake proposal (clone a target vote, e.g. from target space)
  3. attacker: fake votes on your own proposal in the fake space
  4. attacker: share the link to your fake proposalID (ipfs hash) re-dressed under another space to make it look like it is a valid vote from that target space.

Factors supporting the confusion:

  • The space name in the URL and on the proposal website may be considered trusted by users. People relying on this fact may not know that they are clicking on a fake proposal.
  • Some strategy icons appear to be dressed as if they belong to the target space even though the proposal was from another space. The hover text, however, may reveal that the proposal is spoofed.
  • The information box an be spoofed almost completely.
  • The proposal page shows the first 7 characters of the IPFS CID. This may easily be “collided” as the first couple of chars are the IPFS CID type and version followed by parts of the encoded hashing algorithm.
  • Token names are from the target space and not from the original proposal’s space (even though that could propbably be easily spoofed too) it is not obvious that that vote never happend under the target space.
  • Voting might not work (untested).

This should be enough to confuse some people into believing that the proposal really happend in that space.

2.2 Proof of Concept

Quick verification:

  1. Open target space
  2. Open another space in a second browser tab
  3. Copy CID from the 2nd space and to the 1st space’s URL
  4. Proposal from 2nd space appears as if it was from 1st space.

snapshot-phish

3 Vendor Response

Vendor response:

Now if you go on a wrong url you will get redirected to the correct one

3.1 Timeline

AUG/25/2021 - contact snapshot.org/fabien via their discord.
AUG/26/2021 - fixed by redirecting to the CID's original space.