Closed sherlock-admin3 closed 4 months ago
1 comment(s) were left on this issue during the judging contest.
WangAudit commented:
I don't a clear impact from that report; it seems like intended functionality; I don't see how funds can be stolen; plus there are specific onjection periods to vote against
Proposals can only be updated during the updatable period, and it's all by design.
auditsbyradev
high
NounsDAOProposals.sol
contract: Description and Transactions of proposals can be changed post-submissionSummary
The Nouns DAO protocol uses an advanced governance model, allowing token holders to propose, vote and implement changes to the ecosystem. This model is built around proposals that encapsulate changes ranging from minor tweaks in protocol parameters to significant financial allocations from the DAO treasury. Each proposal goes through a life cycle from creation, through a voting period, to implementation if approved. The integrity of this process is vital to maintaining trust, ensuring community interests are fairly represented, and protecting protocol assets.
Vulnerability Detail
The problem is that the Nouns DAO governance logic, specifically within the
NounsDAOProposals.sol
contract, allow proposers to update the description and transactions of proposals post-submission. While intended to improve the user experience by incorporating voter feedback directly into the suggestion engine, this feature inadvertently introduces risk. Voters who vote based on initial versions of proposals may not be aware of subsequent material changes, potentially leading to the approval of proposals that are no longer consistent with their original intent.Impact
Malicious proposers could exploit this feature to initially present benign proposals, gather support, then alter the proposal's intent or financial allocations to serve their interests. Awareness of the potential for proposal manipulation could lead to decreased participation in the voting process, undermining the governance model's legitimacy. Significant treasury assets could be misallocated or stolen if proposals with hidden or late-stage changes are executed, leading to financial loss and reputational damage. The execution of materially altered proposals, especially those involving financial transactions, could expose the DAO to legal and regulatory scrutiny.
Code Snippet
(
NounsDAOProposals.sol#updateProposal()
)[https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/8f6879efaf831eb7fc9d4a4ad2b62b5334220d87/nouns-monorepo/packages/nouns-contracts/contracts/governance/NounsDAOProposals.sol#L227-L260] function:Tool used
Manual Review
Recommendation
Several mitigations can be done here: