Platform: Code4rena
Start Date: 22/08/2022
Pot Size: $50,000 USDC
Total HM: 4
Participants: 160
Period: 5 days
Judge: gzeon
Total Solo HM: 2
Id: 155
League: ETH
Rank: 96/160
Findings: 1
Award: $35.45
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0bi, 0x040, 0x1337, 0x1f8b, 0xDjango, 0xNazgul, 0xNineDec, 0xRajeev, 0xSky, 0xSmartContract, 0xbepresent, 0xkatana, 0xmatt, 8olidity, Aymen0909, Bjorn_bug, Bnke0x0, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, DevABDee, DimitarDimitrov, Dravee, ElKu, Funen, GalloDaSballo, GimelSec, Guardian, Haruxe, JC, JansenC, Jeiwan, JohnSmith, KIntern_NA, Lambda, LeoS, Noah3o6, Olivierdem, R2, RaymondFam, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Saintcode_, Sm4rty, SooYa, Soosh, TomJ, Tomo, Trabajo_de_mates, Waze, _Adam, __141345__, ajtra, android69, asutorufos, auditor0517, berndartmueller, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, catchup, cccz, csanuragjain, d3e4, delfin454000, dipp, djxploit, durianSausage, erictee, exd0tpy, fatherOfBlocks, gogo, hyh, ladboy233, lukris02, mics, mrpathfindr, natzuu, oyc_109, p_crypt0, pashov, pauliax, pfapostol, prasantgupta52, rajatbeladiya, rbserver, ret2basic, rfa, robee, rokinot, rvierdiiev, sach1r0, saian, seyni, shenwilly, sikorico, simon135, sryysryy, sseefried, throttle, tnevler, tonisives, wagmi, xiaoming90, yixxas, z3s, zkhorse, zzzitron
35.4484 USDC - $35.45
Finding: quorumCoefficient parameter value is not validated
Severity: QA, non-critical
File: NounsDAOLogicV2.sol
Description:
In initialize
function, new parameter was added: DynamicQuorumParams calldata dynamicQuorumParams_.
DynamicQuorumParams is a new structure with fields: minQuorumVotesBPS, maxQuorumVotesBPS, and quorumCoefficient.
Of these three, quorumCoefficient doesn't have value validation when it's set. The value is not validation in
_setDynamicQuorumParams
function as well.
It's recommended to add constraints to the quorumCoefficient parameter in either initialize or _setDynamicQuorumParams
function to avoid setting of an invalid value in the future.
Finding: Poor validation of newMinQuorumVotesBPS parameter value
File: NounsDAOLogicV2.sol
Severity: QA, non-critical
Description:
Function _setMinQuorumVotesBPS
allows to set a new minimal quorum votes basis points, which is passed via parameter
newMinQuorumVotesBPS. This parameter is checked against maxQuorumVotesBPS
of the dynamic quorum parameters at the current block. In another function that allows to set a new minimal quorum
votes basis points, _setDynamicQuorumParams,
there's no such check, which allows to set an incorrect value for minQuorumVotesBPS.
It's recommended to add the missing check to _setDynamicQuorumParams function to ensure that a newly set value is
correct.
Finding: Unused constant MAX_QUORUM_VOTES_BPS
Severity: QA, non-critical
File: NounsDAOLogicV2.sol
Description:
MAX_QUORUM_VOTES_BPS
constant was not removed during the upgrade to V2. It can introduce confusion to
the code since the actual maximal quorum votes basis points were set to 6000 in V2 in another constant, MAX_QUORUM_VOTES_BPS_UPPER_BOUND.
It's recommended to remove the constant to avoid confusion.
Finding: Missing fields in ProposalCreated and ProposalCreatedWithRequirements events
Severity: QA, non-critical
File: NounsDAOLogicV2.sol
Description:
New fields were added to Proposal structure: totalSupply and creationBlock. However, they were not added to
the relevant events: ProposalCreated
and ProposalCreatedWithRequirements.
Events serve the purpose of indexing on-chain data to make changes in data easily discoverable. Adding the new
fields to the events will improve monitoring and indexing of new proposals off-chain. Since, when querying
events/logs from an Ethereum node, block number is always provided, it's recommended to add only totalSupply to
the relevant events.