search

code-423n4 / 2022-08-nounsdao-findings

2 stars 0 forks source link

Execution not handling returned data #143

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOExecutor.sol#L173 https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV1.sol#L320

Vulnerability details

Impact

Might be very difficult to verify if proposal has successfully executed or not.

Proof of Concept

Proposal execution doesn't handle returned data from individual calls. Calls are arbitrary. In particular, call (as low level call) can succeed but fail executing logic internally. The only way to verify if calls were successful is to manually debug the tx trace.

Recommended Mitigation Steps

Either of these:

  1. Return aggregated return data from executor.
  2. Emit event with returned data
eladmallel commented 1 year ago

Risk is low, and since this contract is not upgradable and is high stakes code (the treasury), it's not cost effective to attempt a mainnet change. Should the need to debug arise we can always use debugging tools like Tenderly to gain more visibility.