Closed sherlock-admin3 closed 3 months ago
1 comment(s) were left on this issue during the judging contest.
WangAudit commented:
initially invalidating it; since it's not described how it can be use; yes I see the vulns in the node-forge you've listed; but you don't express how it can be manipuled/exploited specifically and this report looks more like a recommendation/information
just to note so the Nouns team is aware of this : )
all bugs are basically related to signature/digest.
the bugs above:
The contracts in scope of this audit that use signature/digests are:
So, at best the Nouns team should upgrade the node-forge package to version 1.3.0 or later, where the vulnerabilities have been addressed.
auditsbyradev
medium
Vulnerable versions of packages are being used (Cryptographic Vulnerabilities in Nouns DAO Protocol Due to Outdated node-forge Dependencies)
Summary
The Nouns DAO protocol employs a decentralized autonomous organization model to govern the creation, auction, and distribution of NFTs, known as Nouns. These NFTs are integral to the protocol, granting holders governance rights, including proposing changes, voting on proposals, and influencing the direction and development of the Nouns ecosystem. The auction house mechanism is a critical component, facilitating the periodic auctioning of Nouns to the highest bidder, with proceeds typically directed towards the DAO's treasury to fund community initiatives.
Vulnerability Detail
The problem is that the protocol use vulnerable versions of the
node-forge
package.Node-forge
is a JavaScript library that provides a plethora of cryptographic operations. The specific vulnerabilities identified involve improper verification of cryptographic signatures and an open redirect issue, potentially compromising the integrity and security of cryptographic operations within the Nouns DAO protocol.-
node-forge
- MODERATE - [Link](https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr) - Improper Verification of Cryptographic Signature innode-forge
-
node-forge
- MODERATE - [Link](https://nvd.nist.gov/vuln/detail/CVE-2022-0122) - Open Redirect in node-forge-
node-forge
- HIGH - [Link](https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765) - Improper Verification of Cryptographic Signature in node-forge-
node-forge
- HIGH - [Link](https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g) - Improper Verification of Cryptographic Signature in node-forgeImpact
The implications of these vulnerabilities are significant, considering the reliance on cryptographic operations for NFT verification, secure transactions, and overall protocol security. Specifically:
Code Snippet
https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/8f6879efaf831eb7fc9d4a4ad2b62b5334220d87/nouns-monorepo/packages/nouns-contracts/contracts/NounsAuctionHouse.sol#L1-L261
Tool used
Manual Review
Recommendation
Upgrade the
node-forge
package to version1.3.0
or later, where the vulnerabilities have been addressed.