This post briefly summarizes the Eco Governance Proposal submitted on December 26, 2022. This proposal patches two bugs in the Random Inflation process, adds a blacklist to prevent pools, treasuries, and safes from being eligible for Random Inflation (see discussion here), and finally adds the univ2 ECO/USDC pool to the notifier so it can support rebase (see discussion here).
Both vulnerabilities patched are in the InflationRootHashProposal.sol contract that oversees the process of submitting the Merkle tree for distributing rewards for Random inflation.
The first vulnerability was a follow-up to our audit from ABDK (CVF-1.25 here). When a Merkle tree is challenged, the timeline is updated to allow for time to respond. When the response is given, the timeline also needed to be updated to allow the process to continue. The fix updates the timeline correctly for both challenge and response.
The second vulnerability was submitted by a whitehat through immunefi and occurred when a malicious Merkle tree was submitted. One challenge function,
claimMissingAccount, allows you to reject a Merkle tree by showing that it does not include a valid address. This requires you to make sure that elements adjacent to the missing address in the tree are validated. However, if the value of the missing address was greater than the last address in the tree, this function could not actually be correctly called because of the restrictions on the index you could submit. The fix allows
claimMissingAccount to be called with an index equal to the number of accounts to signify the missing account being greater than the largest account.
The Blacklist for random inflation has a separate discussion on its importance here. It is implemented in InflationRootHashProposal.sol as well by disallowing Merkle trees with the blacklisted addresses. Responses to challenges will fail if the address is a blacklisted address and blacklisted addresses cannot be claimed as missing from the Merkle tree.