Closed sherlock-admin3 closed 4 months ago
1 comment(s) were left on this issue during the judging contest.
WangAudit commented:
seems to be working correctly since it deletes non-eligible proposals; and in the second loop it only accounts only for eligible proposals
We think this issue is correct, at low severity, and is the same as #14
Refer to #14
ether_sky
high
Users may call the updateRewardsForProposalWritingAndVoting function with incorrect parameters for votingClientIds.
Summary
The
updateRewardsForProposalWritingAndVoting
function is important and is really gas-intensive. And it's really hard to identify the correctvotingClientIds
parameter. We havegetVotingClientIds
function in order to determin the correctvotingClientIds
parameter. However this function returns incorrect results.Vulnerability Detail
In the
updateRewardsForProposalWritingAndVoting
function,proposals
that fail to meet theeligible quorum threshold
are skipped.However, this aspect is not taken into account in the
getVotingClientIds
function.As a result, the
updateRewardsForProposalWritingAndVoting
function can be reverted due to some client IDs have no eligiblevotes
.Impact
Users' funds can be lost due to high
gas fees
(as this function is particularlygas-intensive
), and manually identifying therevert reason
will be really challenging.Code Snippet
https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/8f6879efaf831eb7fc9d4a4ad2b62b5334220d87/nouns-monorepo/packages/nouns-contracts/contracts/client-incentives/Rewards.sol#L358-L361 https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/8f6879efaf831eb7fc9d4a4ad2b62b5334220d87/nouns-monorepo/packages/nouns-contracts/contracts/client-incentives/Rewards.sol#L494-L526 https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/8f6879efaf831eb7fc9d4a4ad2b62b5334220d87/nouns-monorepo/packages/nouns-contracts/contracts/client-incentives/Rewards.sol#L437-L439
Tool used
Manual Review
Recommendation
Duplicate of #14