Contract is missing self delegation in case of delegateBySig function. This means if delegateBySig is called with zero address delegatee then User votes will be burned instead of setting delegatee to signatory
Proof of Concept
User calls delegateBySig function with valid signature and delegatee set as address(0)
This makes call to _delegate function
function delegateBySig(
address delegatee,
uint256 nonce,
uint256 expiry,
uint8 v,
bytes32 r,
bytes32 s
) public {
...
return _delegate(signatory, delegatee);
}
This updates _delegates for signatory to address(0)
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/base/ERC721Checkpointable.sol#L126
Vulnerability details
Impact
Contract is missing self delegation in case of delegateBySig function. This means if delegateBySig is called with zero address delegatee then User votes will be burned instead of setting delegatee to signatory
Proof of Concept
User calls delegateBySig function with valid signature and delegatee set as address(0)
This makes call to _delegate function
Recommended Mitigation Steps
Change the delegateBySig function to include below: