auditsbyradev - `NounsDAOLogicV4.sol` contract - Proposal with canceled signature can be executed

[sherlock-admin3]

auditsbyradev

high

NounsDAOLogicV4.sol contract - Proposal with canceled signature can be executed

Summary

The Nouns DAO protocol utilize NFTs (non-fungible tokens) as both a participatory medium and a voting mechanism for governance decisions. In essence, Nouns DAO allows token holders to propose, vote on, and implement changes to the protocol. Proposals can range from adjustments to the protocol's parameters to broader strategic directions. The governance model is designed to be inclusive and decentralized, ensuring that all decisions are made transparently and democratically.

Vulnerability Detail

The problem is that the proposals with canceled signature can be executed. In a standard operating scenario, a proposal is submitted with a signature that verifies the identity and intent of the proposer. This signature is a cryptographic guarantee of the proposal's authenticity and the proposer's consent. However, the vulnerability is that the proposals with signatures that have been canceled - either by the proposer retracting their consent or through some other means - to still be executed.

Impact

Malicious actors could exploit this vulnerability to pass proposals that have been publicly canceled or retracted, leading to unauthorized changes in the protocol. The ability to execute proposals with canceled signatures undermines the trust and security model of the DAO. It opens up the potential for proposals to be executed against the original intent of the proposer or without proper authorization. The integrity of the governance process is compromised, as proposals that may have been withdrawn or canceled due to community feedback could still be executed.

Code Snippet

• https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/8f6879efaf831eb7fc9d4a4ad2b62b5334220d87/nouns-monorepo/packages/nouns-contracts/contracts/governance/NounsDAOLogicV4.sol#L442-L448

  /**
   * @notice Executes a queued proposal if eta has passed
   * @param proposalId The id of the proposal to execute
   */
  function execute(uint256 proposalId) external {
      ds.execute(proposalId);
  }

• https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/8f6879efaf831eb7fc9d4a4ad2b62b5334220d87/nouns-monorepo/packages/nouns-contracts/contracts/governance/NounsDAOProposals.sol#L437-L466

  function execute(NounsDAOTypes.Storage storage ds, uint256 proposalId) external {
      NounsDAOTypes.Proposal storage proposal = ds._proposals[proposalId];
      INounsDAOExecutor timelock = getProposalTimelock(ds, proposal);
      executeInternal(ds, proposal, timelock);
  }
  
  function executeInternal(
      NounsDAOTypes.Storage storage ds,
      NounsDAOTypes.Proposal storage proposal,
      INounsDAOExecutor timelock
  ) internal {
      require(
          stateInternal(ds, proposal.id) == NounsDAOTypes.ProposalState.Queued,
          'NounsDAO::execute: proposal can only be executed if it is queued'
      );
      if (ds.isForkPeriodActive()) revert CannotExecuteDuringForkingPeriod();
  
      proposal.executed = true;
  
      for (uint256 i = 0; i < proposal.targets.length; i++) {
          timelock.executeTransaction(
              proposal.targets[i],
              proposal.values[i],
              proposal.signatures[i],
              proposal.calldatas[i],
              proposal.eta
          );
      }
      emit NounsDAOEventsV3.ProposalExecuted(proposal.id);
  }

Tool used

Manual Review

Recommendation

Implement additional checks in the proposal execution process to verify the status of a signature, ensuring it has not been canceled or invalidated before execution.

[sherlock-admin3]

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

proposals have to be succeeded and then queued to be executed; I don't think this can happen with cancelled prposals; at least the report decided not to show anything of this plus signature cancellation