code423n4 commented 1 year ago

Lines of code

https://github.com/jbx-protocol/juice-nft-rewards/blob/7d7aec6f8642c6e1c5e55cfed67eb69b6fc8174a/contracts/JB721GlobalGovernance.sol#L19 https://github.com/jbx-protocol/juice-nft-rewards/blob/7d7aec6f8642c6e1c5e55cfed67eb69b6fc8174a/contracts/JB721TieredGovernance.sol#L24

Vulnerability details

Description

Juicebox implemented voting functionality in JB721GlobalGovernance and JB721TieredGovernance delegates. However, since these contracts inherit from JBTiered721Delegate, all the critical onlyOwner functionality remains in the project's hands. The following functions may be called without voting power:

setBaseUri
setContractUri
setTokenUriResolver
mintFor
adjustTiers
setDefaultReservedTokenBeneficiary

While it may be necessary to have these powers in the project's hands during the bootstrapping period, when not enough voters are available, it is not satisfactory that projects will forever have this capacity. Users are unaware that although they joined a Governance contract, the key functionality will always be in project's hands.

Impact

Project can forever call any critical function in Governance-based delegates

Tools Used

Manual audit

Recommended Mitigation Steps

Re-implement the criticial management functions in Governance delegates and integrate voting unit calculations.

drgorillamd commented 1 year ago

Voting power is computed but no governor is provided. If a project wants its governance onchain, they will have to deploy such, and might then transfer delegate ownership to it.

Picodes commented 1 year ago

As the contracts do not implement any proposal or actual voting mechanism, the intent is clearly that projects deploy it and transfer the ownership to the Governor contract if they want to

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-10-juicebox-findings/issues/180