Closed code423n4 closed 1 year ago
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/auction/Auction.sol#L79
The contract address will not be set with relevant properties, like payable and contract type.
Auction.sol#L79 : settings.treasury = _treasury;
Whereas, in Governor.sol, it is set properly. refer the line, https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/governance/governor/Governor.sol#L74
Governor.sol#L74 : settings.treasury = Treasury(payable(_treasury));
Manual code review
Type cast the _treasury while assigning as shown below. settings.treasury = Treasury(payable(_treasury));
_treasury
settings.treasury = Treasury(payable(_treasury));
Doesn't need to be payable https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/auction/types/AuctionTypesV1.sol#L15-L16
address treasury;
Lines of code
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/auction/Auction.sol#L79
Vulnerability details
Impact
The contract address will not be set with relevant properties, like payable and contract type.
Proof of Concept
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/auction/Auction.sol#L79
Auction.sol#L79 : settings.treasury = _treasury;
Whereas, in Governor.sol, it is set properly. refer the line, https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/governance/governor/Governor.sol#L74
Governor.sol#L74 : settings.treasury = Treasury(payable(_treasury));
Tools Used
Manual code review
Recommended Mitigation Steps
Type cast the
_treasury
while assigning as shown below.settings.treasury = Treasury(payable(_treasury));