Voter can vote without owning any Noun DAO NFT if they can borrow Noun DAO NFT on the creationBlock and hold it for 1 block then return it. Voters can get too many voting power while using a little ETH (Borrowing fee), Then voters can spam voting NO or YES to targeted proposal. If NO voting has been spammed, it may cause valid proposal to be rejected.
Hacker can monitor mempool to know when the proposal is created and bribe a validator to attach Noun DAO NFT borrowing transaction into the same block as proposal creation block.
Proof of Concept
/// @notice: Unlike GovernerBravo, votes are considered from the block the proposal was created in order to normalize quorumVotes and proposalThreshold metrics
uint96 votes = nouns.getPriorVotes(voter, proposalCreationBlock(proposal));
Votes are considered from the block the proposal was created. If someone can hold Noun DAO NFT on that block, they will have voting power. If they throw Noun DAO NFT away even 1 block after that block, they still has voting power. So, just borrow Noun DAO NFT on proposal creation block, return it back 1 block later and then vote the proposal using cheap borrowed voting power.
Recommended Mitigation Steps
Use proposalCreationBlock(proposal) - 12 to avoid mempool observation since proposal creation event shouldn't be able to be known 12 blocks in advance.
davidbrai
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/c1c7c6201d0247f92472419ff657b570f9104565/contracts/governance/NounsDAOLogicV2.sol#L588-L615
Vulnerability details
Impact
Voter can vote without owning any Noun DAO NFT if they can borrow Noun DAO NFT on the creationBlock and hold it for 1 block then return it. Voters can get too many voting power while using a little ETH (Borrowing fee), Then voters can spam voting NO or YES to targeted proposal. If NO voting has been spammed, it may cause valid proposal to be rejected.
Hacker can monitor mempool to know when the proposal is created and bribe a validator to attach Noun DAO NFT borrowing transaction into the same block as proposal creation block.
Proof of Concept
Votes are considered from the block the proposal was created. If someone can hold Noun DAO NFT on that block, they will have voting power. If they throw Noun DAO NFT away even 1 block after that block, they still has voting power. So, just borrow Noun DAO NFT on proposal creation block, return it back 1 block later and then vote the proposal using cheap borrowed voting power.
Recommended Mitigation Steps
Use
proposalCreationBlock(proposal) - 12to avoid mempool observation since proposal creation event shouldn't be able to be known 12 blocks in advance.