Borrowing NFTs at proposal block to gain more vote power. #140
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
invalid
This doesn't seem right
old-submission-method
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV1.sol#L508
Vulnerability details
Impact
Attacker can gain more voting power with low cost
Proof of Concept
When voting, voting power is taken from the snapshot at the same block as the proposal is made.
It would be better to take voting power from the prior block.
Change to
(Same problem in V2 contract)
The attacker can monitor mempool and borrow NFTs just in time when proposal is made. It is a low cost attack because attacker can repay the loan in the very next block, rendering the fee cost very low.
I would say, right now, there is a medium probability of the attack, but hgih probability in the future. Right now there are few protocls where you can borrow NFTs agains your collateral and paying small fee (proportional to borrowing time). It is expected the NFT infrastructure (eg borrowing) will be even more developed. I would expect the bribing protocols will develop as well (curve wars is a prime example).
The text was updated successfully, but these errors were encountered: