NOTE: The issue was reported by Statemind during the audit round of #23.

When someone creates a motion, its snapshot block is set to the current block.number. While, theoretically, it's totally correct and reasonable, there is a possibility to take a flashloan of the Lido governance token (LDO) and object the motion multiple times from different accounts until the objection threshold is reached.

Rough action plan:

• Disclose the issue.
• Prepare PR with a fix (look into the previous block.number - 1 snapshot block for LDO balance) (Fix: set snapshot block in the past #25)
• Consider to re-deploy ET once it becomes feasible (far-going plans).

Impact

The impact is tolerable since the main Lido DAO Aragon voting governance hand stays in absolute authority to perform any on-chain actions.

Mitigations without redeployment:

• Have monitoring for unusual on-chain activities (single-block objections occurred within the block of the motion creation)
• Once someone decides to exploit the behavior, the possibility of front-running could be circumvented by using the private communication channels with block proposers (e.g., Flashbots) to prevent tx interception and front-running inside the mempool.
• Full-fledged Aragon voting can still perform the necessary actions