Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-08-nounsdao/blob/45411325ec14c6d747b999a40367d3c5109b5a89/contracts/governance/NounsDAOLogicV1.sol#L148-L154
Timelock can be manipulate by anyone
Timelock_ NounsDAOExecutor can be set by anyone since timelock was not set acceptAdmin() on initialize so it can be manipulate.
acceptAdmin()
Manual Review
Adding timelock.acceptAdmin(); which you can find it similar like this one
timelock.acceptAdmin();
I don't see any attack vector here
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/45411325ec14c6d747b999a40367d3c5109b5a89/contracts/governance/NounsDAOLogicV1.sol#L148-L154
Vulnerability details
Impact
Timelock can be manipulate by anyone
Proof of Concept
Timelock_ NounsDAOExecutor can be set by anyone since timelock was not set
acceptAdmin()
on initialize so it can be manipulate.Tools Used
Manual Review
Recommended Mitigation Steps
Adding
timelock.acceptAdmin();
which you can find it similar like this one