Open sherlock-admin4 opened 4 months ago
We are working on a fix that will better filter out proposals.
Still wanted to highlight that we think severity should be lower because likelihood is very low, and that's because an attacker needs to have at least totalSupply * proposalEligibilityQuorumBps / 10_000
votes.
Yeam, it seems the likelihood should indeed be low + high impact = medium.
Comment from LSW:
"the 10% requirement is for coalition that nouns holders can make, not necessary for one attacker. Also, total supply is decreased by forking. Overall, this is a somewhat higher ask, but in the same time the manipulation surface itself is somewhat bigger, as natural proposal count is low enough, so cancelled proposals can have substantial impact (say, 2-3x reward depression for the honest ones)".
Under these reasons, the report remains High severity.
The protocol team fixed this issue in the following PRs/commits: https://github.com/nounsDAO/nouns-monorepo/pull/839
Fix looks ok: cancelled proposals are now filtered out in proposalDataForRewards()
.
The Lead Senior Watson signed off on the fix.
hyh
high
Eligibility of cancelled proposals makes it possible for
proposalEligibilityQuorumBps
controlling actor to create multiple eligible proposals, stealing rewards from all othersSummary
Actor controlling more than
proposalEligibilityQuorumBps
can spam eligible proposals via creation, voting and canceling them, stealing proposal based rewards from all other participants. SinceproposalEligibilityQuorumBps
is set to10%
, it can require colluding of the several Nouns holders. Spamming here means that this have much shorter turnaround time compared to usual workflow and has a potential of heavily diluting the rewards for all others.Vulnerability Detail
Suppose an actor is affiliated with
clientId
beingapproved
and controls (directly or indirectly via collusion) more thanproposalEligibilityQuorumBps
of the current total supply. They can repeat(create, vote, cancel)
cycle over time obtaining a significant share of proposal rewards since this will produce eligible proposals substantially faster compared to the normal lifecycle as fullvotingPeriod
is omitted.In order to conceal the manipulation this can be intermixed with other activities: i.e. before most valid proposal's, having target
clientId
, voting and execution there might be some deliberately broken versions of this proposal being posted, then voted on and cancelled like if the inconsistency was just being discovered. This can be done gradually in order to avoid raising red flags and keepclientId
valid.Impact
The only prerequisite is some arrangement of Nouns holders in order in exceed
proposalEligibilityQuorumBps
bar. All the rest can be done routinely. The manipulation will not be evident on rewards allocation asupdateRewardsForProposalWritingAndVoting()
will count manipulated proposals automatically.Increasing the number of eligible proposals has substantial impact on rewards calculation, so the impact on the other client id owners' reward revenue is high.
Likelihood: Medium + Impact: High = Severity: High.
Code Snippet
Cancelled proposals will be deemed valid and will dilute the proposal rewards base:
https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/client-incentives/Rewards.sol#L352-L368
Proposals can be cancelled by
proposer
early on (whenever in a non-final state), i.e. right afterproposalUpdatablePeriodInBlocks + votingDelay
passed and proposal becomesActive
, so it can be voted on and cancelled:https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/governance/NounsDAOProposals.sol#L518-L547
After that proposer and other backers can immediately create new proposal since the state of their current one is
Canceled
and the corresponding check is satisfied:https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/governance/NounsDAOProposals.sol#L778-L789
https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/governance/NounsDAOProposals.sol#L582-L592
Tool used
Manual Review
Recommendation
Consider ignoring cancelled proposals, e.g.:
https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/governance/NounsDAOProposals.sol#L719-L732
Rationale is that cancelled proposal is a kind of discarded draft, even if it was voted on, and is to be replaced by another, corrected, version, so including both in the proposal rewards is essentially double counting.
Vetoed ones can stay as is since, apart from veto power holder being trusted, in order to require a veto the proposal needs to be executable, so there looks to be no possibility to quickly iterate many such proposals and dilute the rewards. I.e. canceling provides a significant speed up for eligible proposals making, while vetoing doesn't.
Also, as a simplification and a mitigation for other issues, the eligibility threshold can be passed to
proposalDataForRewards()
and non-eligible proposals can be excluded early on, e.g.:https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/client-incentives/Rewards.sol#L323-L327
https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/governance/NounsDAOProposals.sol#L719-L737
Keeping
endBlock > 0
just in case, while the rest is already checked:https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/client-incentives/Rewards.sol#L355-L361
https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/client-incentives/Rewards.sol#L411-L413