Closed code423n4 closed 1 year ago
Voting power is computed but no governor is provided. If a project wants its governance onchain, they will have to deploy such, and might then transfer delegate ownership to it.
As the contracts do not implement any proposal or actual voting mechanism, the intent is clearly that projects deploy it and transfer the ownership to the Governor contract if they want to
Picodes marked the issue as change severity
Lines of code
https://github.com/jbx-protocol/juice-nft-rewards/blob/7d7aec6f8642c6e1c5e55cfed67eb69b6fc8174a/contracts/JB721GlobalGovernance.sol#L19 https://github.com/jbx-protocol/juice-nft-rewards/blob/7d7aec6f8642c6e1c5e55cfed67eb69b6fc8174a/contracts/JB721TieredGovernance.sol#L24
Vulnerability details
Description
Juicebox implemented voting functionality in JB721GlobalGovernance and JB721TieredGovernance delegates. However, since these contracts inherit from JBTiered721Delegate, all the critical onlyOwner functionality remains in the project's hands. The following functions may be called without voting power:
While it may be necessary to have these powers in the project's hands during the bootstrapping period, when not enough voters are available, it is not satisfactory that projects will forever have this capacity. Users are unaware that although they joined a Governance contract, the key functionality will always be in project's hands.
Impact
Project can forever call any critical function in Governance-based delegates
Tools Used
Manual audit
Recommended Mitigation Steps
Re-implement the criticial management functions in Governance delegates and integrate voting unit calculations.