Back to fatherOfBlocks's contests

Nouns Builder contest - fatherOfBlocks's results

A permissionless, governed protocol to deploy nouns-style DAOs complete with treasury, generative collections, and governance mechanisms.

General Information

Platform: Code4rena

Start Date: 06/09/2022

Pot Size: $90,000 USDC

Total HM: 33

Participants: 168

Period: 9 days

Judge: GalloDaSballo

Total Solo HM: 10

Id: 157

League: ETH

Nouns Builder

Findings Distribution

Researcher Performance

Rank: 63/168

Findings: 3

Award: $176.86

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNouns Builder

Findings Information

🌟 Selected for report: chatch

Also found by: 0x4non, Chom, R2, ak1, ayeslick, fatherOfBlocks, hyh, rvierdiiev, scaraven, simon135, zzzitron

Labels

bug
duplicate
2 (Med Risk)
sponsor disputed

Awards

70.6842 USDC - $70.68

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/governance/governor/Governor.sol#L160-L166 https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/governance/governor/Governor.sol#L434-L438

Vulnerability details

Impact

When a proposal is created, the values ​​of voteStart and voteEnd are set, but when they are set, their values ​​are not validated: block.timestamp + settings.votingDelay and block.timestamp + settings.votingPeriod, be > block.timestamp. This is necessary because if the two values ​​were equal: voteStart == voteEnd would generate certain inconsistencies, for example: that the state() function returns Pending, when there is no real time to vote. In addition, there would be the problem of creating a proposal that will never be able to be voted on.

This could be fixed by validating that voteStart has to be > voteEnd

#0 - GalloDaSballo

2022-09-17T01:48:30Z

You'd want to require votingPeriod to be non-zero in the setter.

I think this is QA but will think about it

#1 - iainnash

2022-09-26T19:03:18Z

I think someone else correctly called out votingPeriod to be nonZero in the setter. Would also argue for QA since this is a permissioned call and does not directly call out where this issue is introduced.

#2 - GalloDaSballo

2022-09-26T23:25:06Z

Dup of #482 , while the immediate reaction was QA, other reports have shown specific ways to cause DOS and brick the governor

Findings Information

🌟 Selected for report: Lambda

Also found by: 0x1337, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 8olidity, Aymen0909, B2, Bnke0x0, CRYP70, Captainkay, CertoraInc, Ch_301, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, ElKu, EthLedger, Franfran, Funen, GimelSec, JansenC, Jeiwan, Jujic, Lead_Belly, MEP, MasterCookie, MiloTruck, Noah3o6, PPrieditis, PaludoX0, Picodes, PwnPatrol, R2, Randyyy, RaymondFam, Respx, ReyAdmirado, Rolezn, Samatak, Tointer, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ak1, asutorufos, azephiar, ballx, bharg4v, bin2chen, bobirichman, brgltd, bulej93, c3phas, cccz, ch0bu, cloudjunky, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, davidbrai, delfin454000, dharma09, dic0de, dipp, djxploit, eierina, erictee, fatherOfBlocks, gogo, hansfriese, hyh, imare, indijanc, izhuer, jonatascm, ladboy233, leosathya, lucacez, lukris02, m9800, martin, minhtrng, ne0n, neumo, oyc_109, p_crypt0, pashov, pauliax, pcarranzav, pedr02b2, peritoflores, pfapostol, rbserver, ret2basic, robee, rvierdiiev, sach1r0, sahar, scaraven, sikorico, simon135, slowmoses, sorrynotsorry, tnevler, tonisives, volky, yixxas, zkhorse, zzzitron

Awards

60.7743 USDC - $60.77

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Treasury.sol

  • L141 - The execute() function has several arrays and they are used inside a for, but it is not validated that they have equal sizes so that they do not revert without displaying a correct message.

#0 - GalloDaSballo

2022-09-26T21:33:15Z

R

Findings Information

🌟 Selected for report: pfapostol

Also found by: 0x1f8b, 0x4non, 0x5rings, 0xA5DF, 0xSmartContract, 0xc0ffEE, 0xkatana, Aymen0909, Bnke0x0, CertoraInc, Chandr, CodingNameKiki, Cr4ckM3, Deivitto, DimSon, Franfran, JAGADESH, JC, Jeiwan, Lambda, LeoS, Matin, Metatron, Migue, MiloTruck, PPrieditis, PaludoX0, R2, RaymondFam, Respx, ReyAdmirado, Rolezn, Saintcode_, Samatak, SnowMan, StevenL, Tointer, TomJ, Tomo, WatchDogs, Waze, _Adam, __141345__, ajtra, asutorufos, ballx, brgltd, bulej93, c3phas, ch0bu, dharma09, djxploit, durianSausage, easy_peasy, fatherOfBlocks, gianganhnguyen, gogo, imare, leosathya, lucacez, martin, oyc_109, pauliax, peiw, prasantgupta52, ret2basic, rfa, robee, sikorico, simon135, tofunmi, volky, wagmi, zishansami

Awards

45.4138 USDC - $45.41

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Treasury.sol

  • L162 - It is not necessary to initialize a variable with its default value since it generates an extra gas cost without having benefits in the understanding of the code.

Address L50 - It is less expensive to validate "variable != 0" than "variable > 0"

Metadata Renderer

  • L119/133/189/229 - It is not necessary to initialize a variable with its default value since it generates an extra gas cost without having benefits in the understanding of the code.

  • L124/151/194/226/237 - It is less expensive to make ++variable or --variable, than variable + 1 for example.

Token

  • L91/154 - It is less expensive to make ++variable or --variable, than variable + 1 for example.

#0 - GalloDaSballo

2022-09-26T15:59:55Z

L50 - It is less expensive to validate "variable != 0" than "variable > 0"

Only for require

50 gas overall

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter