Platform: Code4rena
Start Date: 03/03/2023
Pot Size: $90,500 USDC
Total HM: 4
Participants: 42
Period: 7 days
Judge: 0xean
Total Solo HM: 2
Id: 219
League: ETH
Rank: 32/42
Findings: 1
Award: $72.43
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rbserver
Also found by: 0x6980, 0xAgro, 0xSmartContract, 0xmichalis, 0xnev, BRONZEDISC, DevABDee, IceBear, RaymondFam, Rolezn, SaeedAlipoor01988, Sathish9098, arialblack14, brgltd, chrisdior4, codeislight, descharre, imare, lukris02, luxartvinsec, matrix_0wl, tnevler, yongskiws
72.4344 USDC - $72.43
Inside Multisig#createPoposal there is no verification that user will have enough time to for approving this proposal. A check for minimal interval between start and end date is missing.
PluginSetupProcessor to verify if uninstalling a plugin version will work in the futureManually checking that the prepared data for uninstall after installing a plugin can be a tedious maybe also unnecessary work.
The PluginSetupProcessor should have a method that:
install data for a version of a plugin thenuninstall data with the same input as in the install data preparation callinstall data are revoked by the uninstall data.By having this method as a view returning bool on successfully rollback of permissions the DAO has assurance that uninstallation of a plugin will work.
#0 - c4-judge
2023-03-12T16:07:23Z
0xean marked the issue as grade-c
#1 - 0xean
2023-03-18T23:08:52Z
warden also has issues #134 and #135 included as part of their QA, and as such, will upgrade to grade B
#2 - c4-judge
2023-03-18T23:08:56Z
0xean marked the issue as grade-b
#3 - novaknole20
2023-03-22T13:08:02Z
QA-1 Yep but that is fine for a Multsig. We used the safe as a reference and they don't have it either.
QA-2 I don't believe that this should belong into the contract. If such a verification is necessary one can use a TX simulator like tenderly.
#4 - c4-sponsor
2023-03-22T13:08:06Z
novaknole20 marked the issue as sponsor disputed