NFT doesn't handle hard forks. Ensuring NFT Ownership Clarity Across Blockchain Hard Forks in Nouns DAO Protocol.
Summary
The Nouns DAO protocol, through its governance and incentive mechanisms, issues NFTs as rewards or tokens representing certain rights or privileges within the ecosystem. The handling of these NFTs across potential blockchain hard forks presents a challenge to ensuring clear and undisputed ownership across divergent chains. The current implementation does not account for the distinction between original and forked chains, potentially leading to confusion and ownership disputes post-fork.
Vulnerability Detail
The problem is that the protocol lack of explicit consideration for blockchain hard forks within its NFT management strategy. Specifically, the tokenURI function in the Rewards.sol contract fails to include or check for the chain ID in its operations. This omission means that NFTs issued on the original blockchain could be ambiguously claimed or accessed on forked chains without clear differentiation or acknowledgment of the originating chain.
When there are hard forks, users often have to go through many hoops to ensure that they control ownership on every fork. Consider adding require(1 == chain.chainId), or the chain ID of whichever chain you prefer, to the functions below, or at least include the chain ID in the URI, so that there is no confusion about which chain is the owner of the NFT.
Impact
This lack of explicit chain ID handling may lead to several issues:
Ownership Confusion: NFT holders may face challenges in asserting their ownership on forked chains, leading to potential loss of access or control over their NFTs.
Cross-Chain Disputes: In the absence of clear chain ID differentiation, disputes may arise over the legitimacy of NFT claims on forked chains, complicating governance and the execution of associated rights or privileges.
Protocol Integrity: The ambiguity regarding NFT ownership across forks could undermine the integrity of the Nouns DAO protocol, particularly in maintaining a consistent and transparent governance structure post-fork.
Modify the tokenURI function to include a chain ID check, ensuring that NFT operations are explicitly associated with the original chain. This can be done using a `require' statement that checks the current chain ID against the intended one.
auditsbyradev
medium
NFT doesn't handle hard forks. Ensuring NFT Ownership Clarity Across Blockchain Hard Forks in Nouns DAO Protocol.
Summary
The Nouns DAO protocol, through its governance and incentive mechanisms, issues NFTs as rewards or tokens representing certain rights or privileges within the ecosystem. The handling of these NFTs across potential blockchain hard forks presents a challenge to ensuring clear and undisputed ownership across divergent chains. The current implementation does not account for the distinction between original and forked chains, potentially leading to confusion and ownership disputes post-fork.
Vulnerability Detail
The problem is that the protocol lack of explicit consideration for blockchain hard forks within its NFT management strategy. Specifically, the
tokenURI
function in theRewards.sol
contract fails to include or check for the chain ID in its operations. This omission means that NFTs issued on the original blockchain could be ambiguously claimed or accessed on forked chains without clear differentiation or acknowledgment of the originating chain.When there are hard forks, users often have to go through many hoops to ensure that they control ownership on every fork. Consider adding require(1 == chain.chainId), or the chain ID of whichever chain you prefer, to the functions below, or at least include the chain ID in the URI, so that there is no confusion about which chain is the owner of the NFT.
Impact
This lack of explicit chain ID handling may lead to several issues:
Code Snippet
Tool used
Manual Review
Recommendation
Modify the
tokenURI
function to include a chain ID check, ensuring that NFT operations are explicitly associated with the original chain. This can be done using a `require' statement that checks the current chain ID against the intended one.