Nouns Builder contest - csanuragjain's results

A permissionless, governed protocol to deploy nouns-style DAOs complete with treasury, generative collections, and governance mechanisms.

General Information

Platform: Code4rena

Start Date: 06/09/2022

Pot Size: $90,000 USDC

Total HM: 33

Participants: 168

Period: 9 days

Judge: GalloDaSballo

Total Solo HM: 10

Id: 157

League: ETH

Nouns Builder

Findings Distribution

Researcher Performance

Rank: 27/168

Findings: 2

Award: $790.61

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Nouns Builder

Findings Information

🌟 Selected for report: rbserver

Also found by: Solimander, csanuragjain

Labels

bug

duplicate

2 (Med Risk)

disagree with severity

Awards

729.7931 USDC - $729.79

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L441

Vulnerability details

Impact

Defeated proposal will be mark accepted and would be executed due to an incorrect condition.

Proof of Concept

Proposal A was created
proposal.voteEnd has reached and no one voted on this proposal

proposal.forVotes = 0
proposal.againstVotes = 0

As checked with product team, in case of tie proposal should get Defeated
Due to an incorrect condition (missing =), it will instead be Queued for execution, since proposal.forVotes < proposal.againstVotes will be false

function state(bytes32 _proposalId) public view returns (ProposalState) {
...
else if (proposal.forVotes < proposal.againstVotes || proposal.forVotes < proposal.quorumVotes) {
            return ProposalState.Defeated;
}
...
else {
            return ProposalState.Queued;
        }
}

Recommended Mitigation Steps

Change the condition to include = while comparing votes as shown below

else if (proposal.forVotes <= proposal.againstVotes || proposal.forVotes < proposal.quorumVotes) {
            return ProposalState.Defeated;
}

#0 - GalloDaSballo
2022-09-19T20:54:18Z

50 / 50, meaning this can happen exclusively on 1 specific vote

#1 - GalloDaSballo
2022-09-21T14:29:50Z

Dup of https://github.com/code-423n4/2022-09-nouns-builder-findings/issues/626

Findings Information

🌟 Selected for report: Lambda

Also found by: 0x1337, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 8olidity, Aymen0909, B2, Bnke0x0, CRYP70, Captainkay, CertoraInc, Ch_301, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, ElKu, EthLedger, Franfran, Funen, GimelSec, JansenC, Jeiwan, Jujic, Lead_Belly, MEP, MasterCookie, MiloTruck, Noah3o6, PPrieditis, PaludoX0, Picodes, PwnPatrol, R2, Randyyy, RaymondFam, Respx, ReyAdmirado, Rolezn, Samatak, Tointer, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ak1, asutorufos, azephiar, ballx, bharg4v, bin2chen, bobirichman, brgltd, bulej93, c3phas, cccz, ch0bu, cloudjunky, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, davidbrai, delfin454000, dharma09, dic0de, dipp, djxploit, eierina, erictee, fatherOfBlocks, gogo, hansfriese, hyh, imare, indijanc, izhuer, jonatascm, ladboy233, leosathya, lucacez, lukris02, m9800, martin, minhtrng, ne0n, neumo, oyc_109, p_crypt0, pashov, pauliax, pcarranzav, pedr02b2, peritoflores, pfapostol, rbserver, ret2basic, robee, rvierdiiev, sach1r0, sahar, scaraven, sikorico, simon135, slowmoses, sorrynotsorry, tnevler, tonisives, volky, yixxas, zkhorse, zzzitron

Awards

60.8197 USDC - $60.82

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

User can overwrite other user bids

Contract: https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L331

Impact

If admin sets minimumBidIncrement to 0 percent then one User can overwrite other user bids without need to provide extra funds

Proof of Concept

Assume that settings.minBidIncrement is currently set to 0 by Admin
User A creates bid on the auction with amount X
Since settings.minBidIncrement is 0, so User B only needs to provide amount X which will replace User A bid with User B bid

Recommended Mitigation Steps

Add a check to make sure settings.minBidIncrement>0

require(settings.minBidIncrement>0, "Incorrect increment");

Auction can be extended to an indefinite amount of time

Contract: https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/auction/Auction.sol#L323

Impact

Auction can be extended to an indefinite amount of time

Proof of Concept

Assume that settings.timeBuffer is currently set to a 1000 days by Admin
User A creates bid on the auction with amount X
Since settings.timeBuffer is 1000 days, so new Auction can only be created post 1000 days

Recommended Mitigation Steps

There should be a max cap on timeBuffer

Nouns Builder contest - csanuragjain's results

A permissionless, governed protocol to deploy nouns-style DAOs complete with treasury, generative collections, and governance mechanisms.

General Information

Findings Distribution

Researcher Performance

External Links

[M-28] Defeated proposal will be mark accepted - $729.79

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - GalloDaSballo2022-09-19T20:54:18Z

#1 - GalloDaSballo2022-09-21T14:29:50Z

[Q-41] QA Report - $60.82

Findings Information

Awards

Labels

External Links

User can overwrite other user bids

Impact

Proof of Concept

Recommended Mitigation Steps

Auction can be extended to an indefinite amount of time

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - GalloDaSballo2022-09-26T21:25:40Z

User can overwrite other user bids

Auction can be extended to an indefinite amount of time

#0 - GalloDaSballo
2022-09-19T20:54:18Z

#1 - GalloDaSballo
2022-09-21T14:29:50Z

#0 - GalloDaSballo
2022-09-26T21:25:40Z