Closed sherlock-admin2 closed 4 months ago
3 comment(s) were left on this issue during the judging contest.
WangAudit commented:
seems to be intended behaviour; if we take a look at
castRefundableVoteWithReason
it allows us to supply the clientId; If we look atcastRefundableVoteInternal
; devs say that client is the one facilitating posting the vote on chain; which looks to me to be specific for this function.
karanctf commented:
client id can't be 0
takarez commented:
seem invalid.
This is by design.
First to clarify, rewards go to apps that facilitate voting on Nouns, not to the voters themselves. In this context, of course we don't want to reward invalid client IDs :)
We reserved client ID 0 for "the current state" and not rewarding it is also by design - all clients that should be rewarded will register and receive IDs starting at 1.
DenTonylifer
medium
Some voters will not be rewarded
Summary
Some voters who voted for the proposals will not be rewarded.
Vulnerability Detail
The only reasons why a voter cannot be rewarded is this:
In other cases voter must be rewarded. But if voter submitted votes using functions
castVoteBySig()
,castVoteWithReason()
orcastVote()
, he will not get rewards due to hardcodedclientId
:Votes by varriable
clientId
are saved in array, that will be used for rewards accounting inRewards.sol
:As we can see, voters with
clientId = 0
will not be rewarded. It was made to avoid rewarding non-existedclientId
(=0 or > maxClientId), but in reality it harms voters with existingclientId
, because they was not allowed to pass it as a parameter incastVote()
and other functions.Impact
Many elgibile voters who voted for the elgibile proposals will not be rewarded.
Code Snippet
[https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/governance/NounsDAOVotes.sol#L70]() [https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/governance/NounsDAOVotes.sol#L145]() [https://github.com/sherlock-audit/2024-03-nouns-dao-2/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/governance/NounsDAOVotes.sol#L164]()
Tool used
Manual Review
Recommendation
Allow users to pass
clientId
as a parameter incastVote()
and other functions: