Open code423n4 opened 1 year ago
Risk is low, and since this contract is not upgradable and is high stakes code (the treasury), it's not cost effective to attempt a mainnet change. Should the need to debug arise we can always use debugging tools like Tenderly to gain more visibility.
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOExecutor.sol#L173 https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV1.sol#L320
Vulnerability details
Impact
Might be very difficult to verify if proposal has successfully executed or not.
Proof of Concept
Proposal execution doesn't handle returned data from individual calls. Calls are arbitrary. In particular, call (as low level call) can succeed but fail executing logic internally. The only way to verify if calls were successful is to manually debug the tx trace.
Recommended Mitigation Steps
Either of these: