Platform: Code4rena
Start Date: 06/09/2022
Pot Size: $90,000 USDC
Total HM: 33
Participants: 168
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 10
Id: 157
League: ETH
Rank: 46/168
Findings: 1
Award: $349.06
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: zkhorse
Also found by: MEP, Picodes, Solimander, berndartmueller, hxzy, hyh, pcarranzav, pfapostol
349.0578 USDC - $349.06
https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/lib/token/ERC721Votes.sol#L196-L235 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/lib/token/ERC721.sol#L125-L151
If this project relies on the voting results in the Token contract in governance, it may cause some malicious accounts to obtain malicious votes, thereby affecting the results of governance.
As shown in the picture in the link: https://photos.app.goo.gl/F4fWny2gStRbNkQa6 The total token supply is 2, but the 0x17F6 address gets 4 votes. How to reproduce the problem: Use an account that holds Token tokens and call delegates or delegateBySig functions to vote for the specified address. After the voting is completed, call the safeTransferFrom function to transfer all the Tokens in the above account to another account, and then the new account will call the delegates or delegateBySig function to vote to the above specified address. At this point, it can be found that the number of votes held by the above designated address is twice the number of Tokens used in the appeal. If you keep transferring Tokens and then calling the delegates function, theoretically, the number of votes held by the specified address can be turned into a maximum value.
Remix, VS code
When calling the safeTransferFrom function, call the _moveDelegateVotes function at the same time to update the valid votes.
#0 - GalloDaSballo
2022-09-21T14:26:37Z
Dup of #413
#1 - GalloDaSballo
2022-09-21T14:27:03Z
Please use Imgur or Twitter next time for your privacy and others safety