Quorum votes have no effect for determining whether proposal is defeated or succeeded when token supply is low #607
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L473-L477
https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L116-L175
https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L413-L456
Vulnerability details
Impact
At the early stage of the deployed DAO, it is possible that the following
quorum
function returns 0 because the token supply is low.https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L473-L477
When calling the following
propose
function,proposal.quorumVotes = uint32(quorum())
is executed. Ifquorum()
returns 0,proposal.quorumVotes
is set to 0.https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L116-L175
When determining the proposal's state, the following
state
function is called, which can executeelse if (proposal.forVotes < proposal.againstVotes || proposal.forVotes < proposal.quorumVotes) { return ProposalState.Defeated; }
. Ifproposal.quorumVotes
is 0, theproposal.forVotes < proposal.quorumVotes
condition would always befalse
. Essentially, quorum votes have no effect at all for determining whether the proposal is defeated or succeeded when the token supply is low. Hence, critical proposals, such as for updating implementations or withdrawing funds from the treasury, that should not be passed if there are effective quorum votes for which the for votes fail to reach can be passed, or vice versa, so the impact can be huge.https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/governance/governor/Governor.sol#L413-L456
Proof of Concept
Please append the following test in
test\Gov.t.sol
. This test will pass to demonstrate the described scenario.Tools Used
VSCode
Recommended Mitigation Steps
A minimum quorum votes governance configuration that is at least 1 can be added. When
quorum()
returns 0 because the token supply is low, callingpropose
could setproposal.quorumVotes
to the minimum quorum votes.The text was updated successfully, but these errors were encountered: