Platform: Code4rena
Start Date: 18/10/2023
Pot Size: $36,500 USDC
Total HM: 17
Participants: 77
Period: 7 days
Judge: MiloTruck
Total Solo HM: 5
Id: 297
League: ETH
Rank: 44/77
Findings: 1
Award: $54.19
🌟 Selected for report: 0
🚀 Solo Findings: 0
54.1911 USDC - $54.19
The initialVotingDelay is set to 1 block, which means that approximately 12 seconds after creating the proposal, it is already possible to vote. The initialVotingPeriod is set to 15 blocks, which means the proposal will be open for voting in approximately 3 minutes.
Governor constructor
A malicious actor can create a proposal to replace all the contracts called by the governor on Vault721 (and other possible contracts that can be governed by the DAO in the future). By doing this, the attacker has many possibilities to exploit the contract by modifying functions like the transferSAFEOwnership to transfer the user vault/NFT to the malicious address instead of the original destination address.
Manual review
votingDelay to provide users with ample time to read the proposal and understand it clearly before making a hasty decision. A standard delay used by many protocols is 7200 blocks, which is approximately 1 day.initialVotingPeriod to a duration that makes sense for the protocol. Many protocols set it to 50400 blocks, which is roughly equivalent to 1 week.Governance
#0 - c4-pre-sort
2023-10-26T05:16:27Z
raymondfam marked the issue as low quality report
#1 - c4-pre-sort
2023-10-26T05:16:46Z
raymondfam marked the issue as duplicate of #73
#2 - c4-judge
2023-11-02T07:06:55Z
MiloTruck changed the severity to 2 (Med Risk)
#3 - c4-judge
2023-11-02T08:47:12Z
MiloTruck marked the issue as satisfactory