Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-08-nounsdao/blob/452695d4764ba9d5e1d3eef0d5ecca3d004f215a/contracts/governance/NounsDAOLogicV2.sol#L726 https://github.com/code-423n4/2022-08-nounsdao/blob/452695d4764ba9d5e1d3eef0d5ecca3d004f215a/contracts/governance/NounsDAOLogicV2.sol#L751
There is no validation of DynamicQuorumParams.quorumCoefficient and any value can be used during this calculation.
DynamicQuorumParams.quorumCoefficient
As we can see from the comment, quorumCoefficient should be an integer with 6 decimals but there is no require() for this condition.
quorumCoefficient
require()
As a result, the admin might set an arbitrary value by fault and this calculation wouldn't work as expected.
Manual Review
Recomend adding this require() to _setQuorumCoefficient() and _setDynamicQuorumParams().
require(newQuorumCoefficient >= 1e5 && newQuorumCoefficient < 1e6, "QuorumCoefficient:: Invalid range");
Duplicate of #397
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/452695d4764ba9d5e1d3eef0d5ecca3d004f215a/contracts/governance/NounsDAOLogicV2.sol#L726 https://github.com/code-423n4/2022-08-nounsdao/blob/452695d4764ba9d5e1d3eef0d5ecca3d004f215a/contracts/governance/NounsDAOLogicV2.sol#L751
Vulnerability details
Impact
There is no validation of
DynamicQuorumParams.quorumCoefficient
and any value can be used during this calculation.Proof of Concept
As we can see from the comment,
quorumCoefficient
should be an integer with 6 decimals but there is norequire()
for this condition.As a result, the admin might set an arbitrary value by fault and this calculation wouldn't work as expected.
Tools Used
Manual Review
Recommended Mitigation Steps
Recomend adding this
require()
to _setQuorumCoefficient() and _setDynamicQuorumParams().