auditsbyradev - NFT doesn't handle hard forks. Ensuring NFT Ownership Clarity Across Blockchain Hard Forks in Nouns DAO Protocol.

[sherlock-admin3]

auditsbyradev

medium

NFT doesn't handle hard forks. Ensuring NFT Ownership Clarity Across Blockchain Hard Forks in Nouns DAO Protocol.

Summary

The Nouns DAO protocol, through its governance and incentive mechanisms, issues NFTs as rewards or tokens representing certain rights or privileges within the ecosystem. The handling of these NFTs across potential blockchain hard forks presents a challenge to ensuring clear and undisputed ownership across divergent chains. The current implementation does not account for the distinction between original and forked chains, potentially leading to confusion and ownership disputes post-fork.

Vulnerability Detail

The problem is that the protocol lack of explicit consideration for blockchain hard forks within its NFT management strategy. Specifically, the tokenURI function in the Rewards.sol contract fails to include or check for the chain ID in its operations. This omission means that NFTs issued on the original blockchain could be ambiguously claimed or accessed on forked chains without clear differentiation or acknowledgment of the originating chain.

When there are hard forks, users often have to go through many hoops to ensure that they control ownership on every fork. Consider adding require(1 == chain.chainId), or the chain ID of whichever chain you prefer, to the functions below, or at least include the chain ID in the URI, so that there is no confusion about which chain is the owner of the NFT.

Impact

This lack of explicit chain ID handling may lead to several issues:

• Ownership Confusion: NFT holders may face challenges in asserting their ownership on forked chains, leading to potential loss of access or control over their NFTs.
• Cross-Chain Disputes: In the absence of clear chain ID differentiation, disputes may arise over the legitimacy of NFT claims on forked chains, complicating governance and the execution of associated rights or privileges.
• Protocol Integrity: The ambiguity regarding NFT ownership across forks could undermine the integrity of the Nouns DAO protocol, particularly in maintaining a consistent and transparent governance structure post-fork.

Code Snippet

• Rewards.sol#tokenURI() function:

  596:     function tokenURI(uint256 tokenId) public view override returns (string memory) {
  597:         RewardsStorage storage $ = _getRewardsStorage();
  598:         return INounsClientTokenDescriptor($.descriptor).tokenURI(tokenId, $._clientMetadata[uint32(tokenId)]);
  599:     }

Tool used

Manual Review

Recommendation

Modify the tokenURI function to include a chain ID check, ensuring that NFT operations are explicitly associated with the original chain. This can be done using a `require' statement that checks the current chain ID against the intended one.

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

low/info; contracts are upgradeable and even if hard fork happens it can be fixed