ETH cannot be locked for specific proposal #56
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
invalid
This doesn't seem right
Comments
code423n4
added
2 (Med Risk)
eladmallel
added
the
disagree with severity
|
We're ok letting proposal execution fail if the treasury has insufficient funds. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/c1c7c6201d0247f92472419ff657b570f9104565/contracts/governance/NounsDAOLogicV2.sol#L333
Vulnerability details
Impact
A proposal may have a
valueset that is sent inNounsDAOExecutorwhen the call is executed. However, the ETH balance of theNounsDAOExecutoris used when doing so. There is no way to lock / reserve ETH for a specific proposal, which can lead to erroneous behavior.Proof Of Concept
Alice proposes to transfer 1 ETH to contract F. There are a lot of votes in favor of this proposal, so Alice (or the Nouns DAO) decides to deposit 1 ETH into the Executor contract. However, there is also a successful proposal from Bob which transfer 1 ETH to contract D. This proposal already succeeded some weeks ago, but there was not enough ETH to execute it. Now, that the executor contract has 1 ETH,
executecan be called on Bob's proposal and Alice's ETH is used for a completely different purpose.Recommended Mitigation Steps
A relatively simple fix would be to make execute
payableand forward the ETH ifmsg.valueis greater than 0. Like that, ETH could be associated with a single proposal only by sending the corresponding amount when executing.The text was updated successfully, but these errors were encountered: