Back to pashov's contests

Nouns Builder contest - pashov's results

A permissionless, governed protocol to deploy nouns-style DAOs complete with treasury, generative collections, and governance mechanisms.

General Information

Platform: Code4rena

Start Date: 06/09/2022

Pot Size: $90,000 USDC

Total HM: 33

Participants: 168

Period: 9 days

Judge: GalloDaSballo

Total Solo HM: 10

Id: 157

League: ETH

Nouns Builder

Findings Distribution

Researcher Performance

Rank: 36/168

Findings: 3

Award: $531.99

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNouns Builder

Findings Information

🌟 Selected for report: rbserver

Also found by: R2, cccz, dipp, joestakey, pashov

Labels

bug
duplicate
2 (Med Risk)

Awards

266.0096 USDC - $266.01

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-nouns-builder/blob/debe9b792cc70510eadf9b3728cde5b0f2ec9a1f/src/governance/governor/Governor.sol#L468 https://github.com/code-423n4/2022-09-nouns-builder/blob/debe9b792cc70510eadf9b3728cde5b0f2ec9a1f/src/governance/governor/Governor.sol#L475](https://github.com/code-423n4/2022-09-nouns-builder/blob/debe9b792cc70510eadf9b3728cde5b0f2ec9a1f/src/governance/governor/Governor.sol#L475

Vulnerability details

Proof of concept

/// @notice The current number of votes required to submit a proposal
    function proposalThreshold() public view returns (uint256) {
        unchecked {
            return (settings.token.totalSupply() * settings.proposalThresholdBps) / 10_000;
        }
    }

    /// @notice The current number of votes required to be in favor of a proposal in order to reach quorum
    function quorum() public view returns (uint256) {
        unchecked {
            return (settings.token.totalSupply() * settings.quorumThresholdBps) / 10_000;
        }
    }

If settings.token.totalSupply() is still low, let’s say 50 and proposal and quorum thresholds are set below 2000 then both functions will return zero, essentially allowing any proposal to be submitted and reach quorum without even 1 token holder voting for it even though there were proposal and quorum thresholds set.

Impact

The impact is that until there are enough tokens in total supply for the Governor contract, any proposal can be submitted, accepted and then after the delay it can gather quorum and be executed, all of this with zero votes for it. This can be a big concern for the DAO because pretty much any holder can execute any code.

Recommendation

Make both functions return some sensible MIN_VALUE if they amount to zero, for example MIN_PROPOSAL_THRESHOLD = 50, MIN_QUORUM_THRESHOLD = 150.

#0 - GalloDaSballo

2022-09-20T21:29:29Z

https://github.com/code-423n4/2022-09-nouns-builder-findings/issues/607

Findings Information

🌟 Selected for report: davidbrai

Also found by: Ch_301, Chom, PwnPatrol, bin2chen, cryptphi, pashov

Labels

bug
duplicate
2 (Med Risk)

Awards

205.2074 USDC - $205.21

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-nouns-builder/blob/debe9b792cc70510eadf9b3728cde5b0f2ec9a1f/src/lib/token/ERC721Votes.sol#L144

Vulnerability details

Proof of concept

If a user calls the delegateBySig() function with the zero address (for example unintentionally) as the value of the _to argument then the new delegate of the _from address will become the zero address, effectively burning his vote. Ideally if the _to argument has a value of the zero address it is best to be set as the _from address, so the user keeps his vote instead of burning it.

Impact

This vulnerability can result in undesired loss of governance power for a user.

Recommendation

On the first line of delegateBySig add the following code:

if (_to == address(0)) {
		_to = _from;
}

#0 - GalloDaSballo

2022-09-20T13:08:29Z

Dup of https://github.com/code-423n4/2022-09-nouns-builder-findings/issues/203

Findings Information

🌟 Selected for report: Lambda

Also found by: 0x1337, 0x1f8b, 0x4non, 0x85102, 0xA5DF, 0xNazgul, 0xSmartContract, 0xbepresent, 0xc0ffEE, 8olidity, Aymen0909, B2, Bnke0x0, CRYP70, Captainkay, CertoraInc, Ch_301, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, DimitarDimitrov, ElKu, EthLedger, Franfran, Funen, GimelSec, JansenC, Jeiwan, Jujic, Lead_Belly, MEP, MasterCookie, MiloTruck, Noah3o6, PPrieditis, PaludoX0, Picodes, PwnPatrol, R2, Randyyy, RaymondFam, Respx, ReyAdmirado, Rolezn, Samatak, Tointer, Tomo, V_B, Waze, _Adam, __141345__, a12jmx, ak1, asutorufos, azephiar, ballx, bharg4v, bin2chen, bobirichman, brgltd, bulej93, c3phas, cccz, ch0bu, cloudjunky, cryptonue, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, davidbrai, delfin454000, dharma09, dic0de, dipp, djxploit, eierina, erictee, fatherOfBlocks, gogo, hansfriese, hyh, imare, indijanc, izhuer, jonatascm, ladboy233, leosathya, lucacez, lukris02, m9800, martin, minhtrng, ne0n, neumo, oyc_109, p_crypt0, pashov, pauliax, pcarranzav, pedr02b2, peritoflores, pfapostol, rbserver, ret2basic, robee, rvierdiiev, sach1r0, sahar, scaraven, sikorico, simon135, slowmoses, sorrynotsorry, tnevler, tonisives, volky, yixxas, zkhorse, zzzitron

Awards

60.7742 USDC - $60.77

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Non library/interface files should use fixed compiler version

All contracts under src/lib/utils are using floating pragma versions like

pragma solidity ^0.8.0;

Locking the pragma helps to ensure that contracts do not accidentally get deployed using an outdated compiler version.

#0 - GalloDaSballo

2022-09-27T00:35:32Z

R

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter