Chomtana
commented
2 years ago Dup #340
Closed code423n4 closed 2 years ago
Chomtana
commented
2 years ago Dup #340
GalloDaSballo
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/governance/governor/Governor.sol#L275
Vulnerability details
Impact
Specifically, to support a proposal, the voting power is counted at the time of the proposal creation time.
However, there are multiple services that support NFT flashloan, e.g., NFTuloan (https://www.nftuloan.com/).
Since the voting power is counted as the proposal creation time, a malicious proposer can first borrow a large amount of NFTs and then create the proposal, and repay the flashloan at the end of this transaction. As such, his voting power will be as large as possible.
Note that the malicious proposer still needs to hold a few token to make the proposal alive.
The attack is also enabled by another
ERC721Votebugs (multiple voting power at the same timestamp, which I will make a separate report).If the founder does not notice such a malicious proposal, the malicious proposal can get processed.
The bug can also be degraded as medium, since there is a time lock for a process getting effective.
Recommended Mitigation Steps
Check the weight at a slightly different time compared with the proposal creation time (against flashloan)