Platform: Code4rena
Start Date: 22/08/2022
Pot Size: $50,000 USDC
Total HM: 4
Participants: 160
Period: 5 days
Judge: gzeon
Total Solo HM: 2
Id: 155
League: ETH
Rank: 102/160
Findings: 1
Award: $35.44
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0bi, 0x040, 0x1337, 0x1f8b, 0xDjango, 0xNazgul, 0xNineDec, 0xRajeev, 0xSky, 0xSmartContract, 0xbepresent, 0xkatana, 0xmatt, 8olidity, Aymen0909, Bjorn_bug, Bnke0x0, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, DevABDee, DimitarDimitrov, Dravee, ElKu, Funen, GalloDaSballo, GimelSec, Guardian, Haruxe, JC, JansenC, Jeiwan, JohnSmith, KIntern_NA, Lambda, LeoS, Noah3o6, Olivierdem, R2, RaymondFam, Respx, ReyAdmirado, Rohan16, Rolezn, Ruhum, Saintcode_, Sm4rty, SooYa, Soosh, TomJ, Tomo, Trabajo_de_mates, Waze, _Adam, __141345__, ajtra, android69, asutorufos, auditor0517, berndartmueller, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, catchup, cccz, csanuragjain, d3e4, delfin454000, dipp, djxploit, durianSausage, erictee, exd0tpy, fatherOfBlocks, gogo, hyh, ladboy233, lukris02, mics, mrpathfindr, natzuu, oyc_109, p_crypt0, pashov, pauliax, pfapostol, prasantgupta52, rajatbeladiya, rbserver, ret2basic, rfa, robee, rokinot, rvierdiiev, sach1r0, saian, seyni, shenwilly, sikorico, simon135, sryysryy, sseefried, throttle, tnevler, tonisives, wagmi, xiaoming90, yixxas, z3s, zkhorse, zzzitron
35.4387 USDC - $35.44
The vetoer is able to cancel any proposal not yet executed. The current vetoer is able to transfer their priveleges to any other address by calling the _setVetoer function in NounsDAOLogicV2.sol. This single step process may lead to irrevocable errors when changing vetoers.
To prevent errors such as setting the wrong address as the vetoer, it is recommended to add an additional step to change the vetoer such as the 2-step process currently used to change the admin.
The _refundFee function in NounsDAOLogicV2.sol may be called when a user votes on a proposal and would like some of the gas costs refunded. The function makes use of the basefee function for calculations. The basefee function is only supported from solidity compiler v0.8.7 and up. Since the contract has a floating pragma allowing it to be compiled with v0.8.6 to the latest version this should not currently cause any compile issues. However, if the compiler version were to be locked to 0.8.6 the contract would have issues during compilation.
If the pragmas are going to be locked, then be sure to use v0.8.7 or higher.
On line 783 in NounsDAOLogicV2.sol, the _withdraw function is an admin function used to withdraw funds sent to the contract. The lack of documentation describing the function and the reasoning behind it might lead some users to misunderstand this as a rug vector. Without a desription of the function, if someone pointed out that the function could be used as a rug vector there could be reputational damage to the protocol. Consider adding a description for the function to prevent such a scenario.
On line 852 in NounsDAOLogicV2.sol, the comment seems to be meant for the _acceptAdmin function. Consider changing the comment to read 'Check caller is vetoer'.