Open code423n4 opened 1 year ago
Because rounding is determined by a mixture of totalSupply
and quorumThresholdBps
I believe the finding cannot be of high severity.
It is important to note that because totalSupply can be zero, especially if founders take no founder mint, the Governor contract may be griefed, for example by giving away allowances to setup for a future rug-pull.
Because the finding can cause a loss, and the code doesn't have specific ways to avoid that (e.g. minimum totalSupply) i believe Medium Severity to be appropriate
I think we're going to have to ACK this and move on – there's no clear minimum token requirement we can set at the beginning of a DAO lifecycle that couldn't be circumvented by the malicious user buying the first n tokens.
Situations like this will have to be handled by the DAOs vetoer until a quorum is deemed high enough.
Lines of code
https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L473-L477 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L116-L175 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L413-L456
Vulnerability details
Impact
At the early stage of the deployed DAO, it is possible that the following
quorum
function returns 0 because the token supply is low.https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L473-L477
When calling the following
propose
function,proposal.quorumVotes = uint32(quorum())
is executed. Ifquorum()
returns 0,proposal.quorumVotes
is set to 0.https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L116-L175
When determining the proposal's state, the following
state
function is called, which can executeelse if (proposal.forVotes < proposal.againstVotes || proposal.forVotes < proposal.quorumVotes) { return ProposalState.Defeated; }
. Ifproposal.quorumVotes
is 0, theproposal.forVotes < proposal.quorumVotes
condition would always befalse
. Essentially, quorum votes have no effect at all for determining whether the proposal is defeated or succeeded when the token supply is low. Hence, critical proposals, such as for updating implementations or withdrawing funds from the treasury, that should not be passed if there are effective quorum votes for which the for votes fail to reach can be passed, or vice versa, so the impact can be huge.https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L413-L456
Proof of Concept
Please append the following test in
test\Gov.t.sol
. This test will pass to demonstrate the described scenario.Tools Used
VSCode
Recommended Mitigation Steps
A minimum quorum votes governance configuration that is at least 1 can be added. When
quorum()
returns 0 because the token supply is low, callingpropose
could setproposal.quorumVotes
to the minimum quorum votes.