Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L351 https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOExecutor.sol#L134
The user who creates a proposal is not the admin.
proposal
admin
On NounsDAOLogicV2.sol the function cancel() have a require( msg.sender == proposal.proposer || … and its invoke cancelTransaction() on NounsDAOExecutor.sol which have an other check require(msg.sender == admin ,… and the same think with the veto()
NounsDAOLogicV2.sol
cancel()
require( msg.sender == proposal.proposer || …
cancelTransaction()
NounsDAOExecutor.sol
require(msg.sender == admin ,…
veto()
Duplicate of #283
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOLogicV2.sol#L351 https://github.com/code-423n4/2022-08-nounsdao/blob/main/contracts/governance/NounsDAOExecutor.sol#L134
Vulnerability details
Impact
The user who creates a
proposal
is not theadmin
.Proof of Concept
On
NounsDAOLogicV2.sol
the functioncancel()
have arequire( msg.sender == proposal.proposer || …
and its invokecancelTransaction()
onNounsDAOExecutor.sol
which have an other checkrequire(msg.sender == admin ,…
and the same think with theveto()