code-423n4 / 2022-08-nounsdao-findings

2 stars 0 forks source link

Timelock can be set by anyone except admin since it was not initialize #341

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-nounsdao/blob/45411325ec14c6d747b999a40367d3c5109b5a89/contracts/governance/NounsDAOLogicV1.sol#L148-L154

Vulnerability details

Impact

Timelock can be manipulate by anyone

Proof of Concept

Timelock_ NounsDAOExecutor can be set by anyone since timelock was not set acceptAdmin() on initialize so it can be manipulate.

Tools Used

Manual Review

Recommended Mitigation Steps

Adding timelock.acceptAdmin(); which you can find it similar like this one

davidbrai commented 2 years ago

I don't see any attack vector here