Voter can vote without owning any Noun DAO NFT if they can borrow Noun DAO NFT on the creationBlock and hold it for 1 block then return it

[code423n4]

Lines of code

https://github.com/code-423n4/2022-08-nounsdao/blob/c1c7c6201d0247f92472419ff657b570f9104565/contracts/governance/NounsDAOLogicV2.sol#L588-L615

Vulnerability details

Impact

Voter can vote without owning any Noun DAO NFT if they can borrow Noun DAO NFT on the creationBlock and hold it for 1 block then return it. Voters can get too many voting power while using a little ETH (Borrowing fee), Then voters can spam voting NO or YES to targeted proposal. If NO voting has been spammed, it may cause valid proposal to be rejected.

Hacker can monitor mempool to know when the proposal is created and bribe a validator to attach Noun DAO NFT borrowing transaction into the same block as proposal creation block.

Proof of Concept

        /// @notice: Unlike GovernerBravo, votes are considered from the block the proposal was created in order to normalize quorumVotes and proposalThreshold metrics
        uint96 votes = nouns.getPriorVotes(voter, proposalCreationBlock(proposal));

Votes are considered from the block the proposal was created. If someone can hold Noun DAO NFT on that block, they will have voting power. If they throw Noun DAO NFT away even 1 block after that block, they still has voting power. So, just borrow Noun DAO NFT on proposal creation block, return it back 1 block later and then vote the proposal using cheap borrowed voting power.

Recommended Mitigation Steps

Use proposalCreationBlock(proposal) - 12 to avoid mempool observation since proposal creation event shouldn't be able to be known 12 blocks in advance.

[davidbrai]

Duplicate of #140