In the initial phase, when not many tokens are minted, a malicious actor can start submitting proposals and later execute them. E.g. when the first token is minted, this first owner can instantly submit proposals to retrieve all the eth back from the treasury. proposalThreshold and quorum will likely be low (0 or 1 depending on proposalThresholdBps and quorumThresholdBps).
Others would not have a chance to block this proposal later because their past votes were 0. The admins can jump in and veto such proposals but this does not prevent an attacker from spamming multiple proposals simultaneously making it infeasible to fight if the attacker is willing to spend enough ETH for gas.
A similar issue is when the total supply is 0. Then anyone can submit proposals because the threshold and quorum are basically 0. Admins will not have enough supplies to combat the aggregated power of all the spammers.
Thus, this initial spam of proposals can become insurmountable even with the veto function.
Recommended Mitigation Steps
I believe veto is not enough to combat this issue and there should be more on-chain precautions. Consider something like introducing a minimum token supply when the proposals can start or limiting the number of active proposals per token.
Lines of code
https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L111-L175
Vulnerability details
Impact
In the initial phase, when not many tokens are minted, a malicious actor can start submitting proposals and later execute them. E.g. when the first token is minted, this first owner can instantly submit proposals to retrieve all the eth back from the treasury.
proposalThreshold
andquorum
will likely be low (0 or 1 depending onproposalThresholdBps
andquorumThresholdBps
).Others would not have a chance to block this proposal later because their past votes were 0. The admins can jump in and veto such proposals but this does not prevent an attacker from spamming multiple proposals simultaneously making it infeasible to fight if the attacker is willing to spend enough ETH for gas.
A similar issue is when the total supply is 0. Then anyone can submit proposals because the threshold and quorum are basically 0. Admins will not have enough supplies to combat the aggregated power of all the spammers.
Thus, this initial spam of proposals can become insurmountable even with the veto function.
Recommended Mitigation Steps
I believe veto is not enough to combat this issue and there should be more on-chain precautions. Consider something like introducing a minimum token supply when the proposals can start or limiting the number of active proposals per token.