10190 matches found
check if the refundGas() is successful or not
Lines of code Vulnerability details The user can lose their refundAmount in the transaction field Recommended Mitigation Steps Add check bool refundSent, = msg.sender.call value: refundAmount ''; requirerefundSent, "Transfer failed."; --- The text was updated successfully, but these errors were...
Withdraw Function hasnt Timelock
Lines of code Vulnerability details Withdraw Function Timelock should be added, it is a very important criterion for investors. --- The text was updated successfully, but these errors were encountered: ๐ 1 Shungy reacted with thumbs down emoji All reactions ๐ 1 reaction...
Multiple storage slot collisions between versions - due to different order in declaration
Lines of code Vulnerability details Impact If we list the sequence of how variables receive slots, we will see the failure to follow "append-only" principle. Many variable added "in-between" V2 version can read/write wrong slots. Proof of Concept Here is the table/list of variable, built taking...
quorumvotes() on LogicV2 changed its signature.
Lines of code Vulnerability details Impact The team states: // NounsDAOLogicV2 removes: // - quorumVotes has been replaced by quorumVotesuint256 proposalId. But the signature of the function changed. It is a read-only function and it is hard to imagine a bad transaction flow with it. But is a bad...
Griefing attacks on NounsAuctionHouse
Lines of code Vulnerability details Impact There is internal function safeTransferETH that is called in createBid. The function itself: function safeTransferETHaddress to, uint256 value internal returns bool bool success, = to.call value: value, gas: 30000 new bytes0; return success; Please note...
NounsDAOLogicV2's state() and proposals() will use initial dynamic params for all V1 proposals
Lines of code Vulnerability details state and proposals call quorumVotesid that utilize initial dynamic params for all V1 proposals by misusing 0 as a proposal creation block. I.e. new field is referenced while it is zero for all V1 proposals. This way all V1 proposals will use the same initial s...
NounsDAOLogicV2.sol funds will be instantaneously drained if the private keys become compromised
Lines of code Vulnerability details Impact If the admin gets compromised, all the ether in NounsDAOLogicV2.sol will be drained. function withdraw external if msg.sender != admin revert AdminOnly; uint256 amount = addressthis.balance; bool sent, = msg.sender.call value: amount ''; emit...
Calling execute function for one proposal immediately after an ETH transfer to timelock contract, such as for another proposal, can steal the transferred ETH
Lines of code Vulnerability details Impact The NounsDAOExecutor contract is the timelock for this protocol. It can receive ETH transfer through the following receive and fallback functions. receive external payable fallback external payable Alice can create a proposal that sends certain amount of...
User should not be able to use more votes that he has at the moment of voting
Lines of code Vulnerability details Impact In castVoteInternal function user can vote. And the votes that he has is calculated using the checkpoint when the proposal was created. This is not correct for few reasons. 1.Suppose in time t1 the proposal was created and in that time user1 had 2 tokens...
[M1] quorumVotes() at NounsDAOLogicV2 returns zero for invalid proposalId
Lines of code Vulnerability details Impact External protocol or contract can be negatively impacted. PoC quorumVotes is external so it can be called from outside. At this time it returns zero for incorrect proposalId . function quorumVotesuint256 proposalId public view returns uint256 Proposal...
Queued proposals can be blocked from execution by other proposals when using the same actions
Lines of code Vulnerability details Impact In NounsDAOLogicV1 and NounsDAOLogicV2, anyone can create proposal with the same actions as other proposal. In that case, if attacker calls cancel on his proposal, then other proposal with the same action cannot be executed. Proof of Concept Function...
The attacker consumes the contract's balance by controlling the gas-price or gas-used.
Lines of code Vulnerability details Impact The attacker consumes all of the contract's balance by controlling the gasPrice and gasUsed. Proof of Concept function refundGasuint256 startGas internal unchecked uint256 balance = addressthis.balance; if balance == 0 return; uint256 gasPrice =...
Timelock can be set by anyone except admin since it was not initialize
Lines of code Vulnerability details Impact Timelock can be manipulate by anyone Proof of Concept Timelock NounsDAOExecutor can be set by anyone since timelock was not set acceptAdmin on initialize so it can be manipulate. Tools Used Manual Review Recommended Mitigation Steps Adding...
Possible stuck Ether inNounsDAOProxy.sol
Lines of code https://github.com/code-423n4/2022-08-nounsdao/blob/c1c7c6201d0247f92472419ff657b570f9104565/contracts/governance/NounsDAOProxy.solL130 https://github.com/code-423n4/2022-08-nounsdao/blob/c1c7c6201d0247f92472419ff657b570f9104565/contracts/governance/NounsDAOProxy.solL138 Vulnerabili...
MISSING INPUT CKECK WHEN SETTING NEW **QuorumCoefficient**
Lines of code Vulnerability details Impact In the setQuorumCoefficient , setDynamicQuorumParams functions when the admin sets a new QuorumCoefficient, there is no check on the newQuorumCoefficient parameter which means that a wrong QuorumCoefficient could be set either being very big or very smal...
Admin Privilege - Owner can Withdraw all ETH
Lines of code Vulnerability details The function withdraw is meant to allow sweeping of ETH, the purpose is probably to simplify the process of getting back ETH that wasn't meant to be sent, or to take back ETH used for Gas Refunds. However the function itself can be viewed as a tool to steal...
queue(), execute(), cancel() and veto() can run out of gas and revert due to out of bound loops
Lines of code Vulnerability details Impact The functions queue, execute, cancel and veto contain unbounded loops, which can cause transactions to consume more gas than the block limit run out of gas and revert. Since these functions are critical for the proposals flow, this could impact the...
While it is allowed to create only one proposal per person, you can still create more
Lines of code Vulnerability details Impact After the creation of one proposal user can send his tokens to another persondelegate votes, so another person will create new proposal using the first user's proposal threshold amount. In propose method there is a condition that one user can create only...
[H1] Reentrancy in castRefundableVoteInternal makes voters able to steal some ETH
Lines of code Vulnerability details Impact Voters can steal some ETH Proof of Concept The function castRefundableVoteInternal is vulnerable to reentrancy. In your dev comments for this function you wrote @dev Reentrancy is defended against in castVoteInternal at the receipt.hasVoted == false...
delegate to zero address can make user lose their votes forever
Lines of code Vulnerability details Impact Function delegatedelegatee will delegates votes from msg.sender to delegatee. In case delegatee = address0, it mean msg.sender wanna vote to himself. // url =...
users could not queue a proposal of state succeeded
Lines of code Vulnerability details Impact When a user tries to invoke queue to queue a successful proposal the transaction will fail, the same thing with execute. so there is no execution even if the queued proposal is passed the eta This error effect also: -Emitting ProposalCreated event on...
Dynamic quorum votes parameters for a proposal (Proposal A) are changed according to another proposal (Proposal B) that proposes to update dynamic quorum votes parameters when Proposal B is executed after Proposal A is created in the same block
Lines of code Vulnerability details Impact The following writeQuorumParamsCheckpoint function is used to record dynamic quorum votes parameters at a block of interest. function writeQuorumParamsCheckpointDynamicQuorumParams memory params internal uint32 blockNumber = safe32block.number, 'block...
The variable value uint256 proposalCount is reset when migrating from V1 to V2
Lines of code Vulnerability details Context: NounsDAOInterfaces.sol contract NounsDAOStorageV1 /// The total number of proposals for V1 uint256 public proposalCount; contract NounsDAOStorageV1Adjusted /// The total number of proposals for V2 uint256 public proposalCount; Description: The uint256...
malicious attacker can manipulate another delegator vote
Lines of code Vulnerability details Impact The function ERC721Checkpointable.delegate is used to change and delegate to another accounts and it call an internal function delegate which will change the delegator of the msg.sender and it will also call another internal function moveDelegates which...
NounsDAOProxy.sol (with LogicV2) cannot call NounsDAOExecutor.acceptAdmin()
Lines of code Vulnerability details Impact It's designed that DAOProxy uses Executor to manage the project and treasury. So DAOProxy can call any external functions in the Executor. But it cannot acceptAdmin, and it's strange. So, DAOProxy instances applying LogicV2 will not be able to acceptAdmi...
Check the return of .call when sending Ether
Lines of code Vulnerability details Impact It's considered a best practice to always check the return of the transaction when sending Ether with .call, since it's possible for a tx failure due to external factors out of the contract control. Currently, the contract emits an event with the result...
Return value of call() not checked
Lines of code Vulnerability details Impact The return value of a message call is not checked. Execution will resume even if the called contract throws an exception. If the call fails accidentally or an attacker forces the call to fail, this may cause unexpected behaviour in the subsequent program...
User can lose all governance power
Lines of code Vulnerability details Impact Contract is missing self delegation in case of delegateBySig function. This means if delegateBySig is called with zero address delegatee then User votes will be burned instead of setting delegatee to signatory Proof of Concept 1. User calls delegateBySig...
Incorrect Withdraw Pattern
Lines of code Vulnerability details Context: NounsDAOLogicV2.solL783-L792 Description: 1 -When we transfer ether with call, we have to check with require whether the bool value will be successful.This part is missing in the code in the contract Proof Of Concept: 2- Since the bool value is not...
Openzeppelin contracts with critical and high vulnerabilities can be installed and used
Lines of code Vulnerability details Impact Currently, @openzeppelin/contracts and @openzeppelin/contracts-upgradeable versions are set as follows. "@openzeppelin/contracts": "^4.1.0", "@openzeppelin/contracts-upgradeable": "^4.1.0", For the specified version, there are some critical and high...
NounsDAOLogic.sol would become bricked if NoansDAOExecutor.sol admin ever changes
Lines of code Vulnerability details Impact NounsDAOLogic.sol would become bricked and upgradability would be completely broken Proof of Concept In the current setup, NoansDAOExecutor.sol is both admin and timelock for NounsDAOLogic.sol. If the admin for NoansDAOExecutor.sol was ever changed,...
Storage layout collision issue between NounsDAOStorageV1 and NounsDAOStorageV1Adjusted
Lines of code Vulnerability details Impact Since two new variables are added in the contract NounsDAOStorageV1Adjusted at the end of the struct proposal, the memory layout between the NounsDAOStorageV1 and NounsDAOStorageV1Adjusted is colluding. This affects the variable type and values in the...
Storage collision between proxy and logic v2
Lines of code Vulnerability details The lack of using EIP1967 proposal can lead to a storage collision on variables when implementing proxy-implementation pattern. More details can be found here; Impact Since the project implementing proxies with logic and implementation pattern where they share...
Inconsistent implementation of delegate and delegateBySig leads to inconsistent checkpoints and numCheckpoints modification.
Lines of code Vulnerability details Impact User can delegate to delegatee by calling delegeate and if the parameter delegatee is address0, it will be replaced with the msg.sender. function delegateaddress delegatee public if delegatee == address0 delegatee = msg.sender; return delegatemsg.sender,...
Division before multiplication can lead to precision errors
Lines of code Vulnerability details Impact Since we are working with integer, if we divide before multiply, it can lead to precision errors. In this case, it can lead to error in quorum votes calculation in dynamicQuorumVotes function, allowing proposal be succeeded easier since quorumVote is...
ONLY ADMIN IS ABLE TO CHANGE THE VOTING PARAMETERS
Lines of code Vulnerability details Impact In both the NounsDAOLogicV1 and NounsDAOLogicV2 contracts, only admin is able to change the voting parameters which includes : VotingDelay VotingPeriod ProposalThresholdBPS MinQuorumVotesBPS MaxQuorumVotesBPS QuorumCoefficient This will ma...
Unchecked Call return value in _refundGas call can fail and contract will not revert
Lines of code Vulnerability details Because payable.call is a low-level call, it will not cause a revert on failure. bool refundSent, = msg.sender.call value: refundAmount ''; This means the function will go through, as if the gas-refund was processed, when it may have not. This can specifically...
Wrong assumption of block time might cause wrong value of votingDelay, votingPeriod
Lines of code Vulnerability details Impact In NounsDAOLogic, there are some constants in the system are estimated with an assumption that block time is 15 second. These constants are used to check value of votingPeriod and votingDelay. Actually, the merge is near and after the merge blocks come...
The repository uses versions of OpenZeppelin libraries with critical severity vulnerabilities
Lines of code Vulnerability details Proof of Concept The project uses 4.1.0 for both @openzeppelin/contracts and @openzeppelin/contracts-upgradeable but OpenZeppelin has flagged them as versions with critical severity vulnerability: GHSA-5vp3-v4hc-gx76 Also in those versions you have this...
Update initializer modifier to prevent reentrancy during initialization
Lines of code Vulnerability details package.json L32-33 The solution uses: "@openzeppelin/contracts": "^4.1.0", "@openzeppelin/contracts-upgradeable": "^4.1.0", The current implementation of initialize function in both NounsDAOLogicV1.sol and NounsDAOLogicV2.sol are not using initializer modifier...
Votes which guarantee a majority for-vote can still result in a defeated proposal
Lines of code Vulnerability details Impact The current quorum logic in NounsDAOLogicV2.sol and NounsDAOLogicV1.sol seems undesirable. High, even complete, voter turnout may still not favour a majority for-vote, while a majority against-vote always wins, no matter how low the turnout is even zero...
Nouns NFT owner delegating voting power to the zero-address will lock all owned Nouns forever
Lines of code Vulnerability details Impact Nouns NFTs represent governance voting power by having the NounsToken contract inherit the ERC721Checkpointable contract. The ERC721Checkpointable contract is based on the Comp.sol implementation by Compound. One of the modifications is not needing to...
Voting signature malleability of EVM's ecrecover in castVoteBySig
Lines of code Vulnerability details Proof of Concept EVM's ecrecover is susceptible to signature malleability which allows replay attacks, but that is mitigated here by doing receipt.hasVoted = true;. However, if any of the application logic changes, it might make signature malleability a risk fo...
There is no validation of DynamicQuorumParams.quorumCoefficient.
Lines of code Vulnerability details Impact There is no validation of DynamicQuorumParams.quorumCoefficient and any value can be used during this calculation. Proof of Concept As we can see from the comment, quorumCoefficient should be an integer with 6 decimals but there is no require for this...
no one can create a proposal by calling propose() or voting on any proposal
Lines of code Vulnerability details Impact -The users could not create a proposal by invoking propose -The users could not be voting on any proposal by invoking castVoteBySig, castVoteWithReason, castRefundableVoteInternal,castRefundableVoteWithReason, castRefundableVote and castVote -The propose...
LogicV2 has different/new initialize() code, but it is not possible to call it.
Lines of code Vulnerability details Impact In the V1 we had a line in the initialize: requireaddresstimelock == address0, 'NounsDAO::initialize: can only initialize once'; ... timelock = INounsDAOExecutortimelock; So in the storage of the DAOProxy it is stored an address for timelock. V2 code has...
in V2 Struct Proposal adds new params - totalSupply & creationBlock. So items in struct can overlap, as the struct consumes more slots.
Lines of code Vulnerability details Impact Possible slot overlapping. Reference: Proof of Concept additing new Proposal structs Tools Used Visual Studio Recommended Mitigation Steps Append new variables that will manage this totalSupply/CreationBlock info stored. --- The text was updated...
Voting power determined by proposal creation block enables inherent voting manipulation
Lines of code Vulnerability details Impact The voting power for a Nouns holder for a given proposal is calculated as the number of Nouns held at the time of proposal creation. This creates an opportunity for voting manipulation by the proposal creator because they can specifically choose the time...
Anyone can call queue() and execute() which can cause a leak of value
Lines of code Vulnerability details Impact The functions queue and execute don't include any access restrictions, which means they can be called by anyone at anytime. File: contracts/governance/NounsDAOLogicV2.sol function queueuint256 proposalId external File:...
Upgraded Q -> M from 169 [1661180702678]
Judge has assessed an item in Issue 169 as Medium risk. The relevant finding follows: Issue 2 Storage check in execute from Vault.sol is obselete Currently execute contains the line: if owner != owner revert OwnerChangedowner, owner; to make sure that the owner storage variable is not modified...