Platform: Code4rena
Start Date: 06/09/2022
Pot Size: $90,000 USDC
Total HM: 33
Participants: 168
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 10
Id: 157
League: ETH
Rank: 64/168
Findings: 2
Award: $165.49
🌟 Selected for report: 0
🚀 Solo Findings: 0
104.7173 USDC - $104.72
Anyone can create a proposal if his/her voting weight is greater than or equal to the proposal threshold. But if the proposer's voting weight is equal to the threshold, anyone can cancel this proposal.
In propose function, it ensures voting weight is greater than or equal to the proposal threshold:
// Ensure the caller's voting weight is greater than or equal to the threshold if (getVotes(msg.sender, block.timestamp - 1) < proposalThreshold()) revert BELOW_PROPOSAL_THRESHOLD();
But if the proposer's voting weight is equal to the threshold, anyone can call cancel due to this condition:
// Ensure the caller is the proposer or the proposer's voting weight has dropped below the proposal threshold if (msg.sender != proposal.proposer && getVotes(proposal.proposer, block.timestamp - 1) > proposal.proposalThreshold) revert INVALID_CANCEL();
Because the proposer’s voting weight is equal to the proposal.proposalThreshold, it will not be reverted and call cancel successfully.
None
L363 should use >= rather than >:
if (msg.sender != proposal.proposer && getVotes(proposal.proposer, block.timestamp - 1) >= proposal.proposalThreshold) revert INVALID_CANCEL();
#0 - Chomtana
2022-09-19T07:50:12Z
Dup #589
#1 - GalloDaSballo
2022-09-20T21:01:10Z
🌟 Selected for report: Lambda
Also found by: 0x1337, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 8olidity, Aymen0909, B2, Bnke0x0, CRYP70, Captainkay, CertoraInc, Ch_301, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, ElKu, EthLedger, Franfran, Funen, GimelSec, JansenC, Jeiwan, Jujic, Lead_Belly, MEP, MasterCookie, MiloTruck, Noah3o6, PPrieditis, PaludoX0, Picodes, PwnPatrol, R2, Randyyy, RaymondFam, Respx, ReyAdmirado, Rolezn, Samatak, Tointer, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ak1, asutorufos, azephiar, ballx, bharg4v, bin2chen, bobirichman, brgltd, bulej93, c3phas, cccz, ch0bu, cloudjunky, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, davidbrai, delfin454000, dharma09, dic0de, dipp, djxploit, eierina, erictee, fatherOfBlocks, gogo, hansfriese, hyh, imare, indijanc, izhuer, jonatascm, ladboy233, leosathya, lucacez, lukris02, m9800, martin, minhtrng, ne0n, neumo, oyc_109, p_crypt0, pashov, pauliax, pcarranzav, pedr02b2, peritoflores, pfapostol, rbserver, ret2basic, robee, rvierdiiev, sach1r0, sahar, scaraven, sikorico, simon135, slowmoses, sorrynotsorry, tnevler, tonisives, volky, yixxas, zkhorse, zzzitron
60.7742 USDC - $60.77
We list 1 low-critical finding:
founderPct is defined as uint256, but it’s used for both uint8 and uint256.
founderPct is uint256 but is used by uin8: https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/token/Token.sol#L82 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/token/Token.sol#L88
uint256 founderPct = _founders[i].ownershipPct; if ((totalOwnership += uint8(founderPct)) > 100) revert INVALID_FOUNDER_OWNERSHIP();
But L102 uint256 again: https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/token/Token.sol#L102
uint256 schedule = 100 / founderPct;
Define uint8 rather than uint256 in L82.
#0 - GalloDaSballo
2022-09-26T21:35:55Z
R