search

code-423n4 / 2022-09-nouns-builder-findings

10 stars 6 forks source link

Auction.sol : Treasury(payable) typecasting is missed before setting the treasury address #693

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/auction/Auction.sol#L79

Vulnerability details

Impact

The contract address will not be set with relevant properties, like payable and contract type.

Proof of Concept

https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/auction/Auction.sol#L79

Auction.sol#L79 : settings.treasury = _treasury;

Whereas, in Governor.sol, it is set properly. refer the line, https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/governance/governor/Governor.sol#L74

Governor.sol#L74 : settings.treasury = Treasury(payable(_treasury));

Tools Used

Manual code review

Recommended Mitigation Steps

Type cast the _treasury while assigning as shown below. settings.treasury = Treasury(payable(_treasury));

GalloDaSballo commented 1 year ago

Doesn't need to be payable https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/auction/types/AuctionTypesV1.sol#L15-L16

        address treasury;