Reviewed by: 0x52 (@IAm0x52)
As an independent smart contract auditor I have completed over 100 separate reviews. I primarily compete in public contests as well as conducting private reviews (like this one here). I have more than 30 1st place finishes (and counting) in public contests on Code4rena and Sherlock. I have also partnered with SpearbitDAO as a Lead Security researcher. My work has helped to secure over $1 billion in TVL across 100+ protocols.
The following contracts were reviewed as replacements for the nounsDAO contract suite:
- NFTDescriptorV2: 0xdEdd7Ec3F440B19C627AE909D020ff037F618336
- SVGRenderer : 0x535BD6533f165B880066A9B61e9C5001465F398C
- NounsDescriptorV3: 0x33A9c445fb4FB21f2c030A6b2d3e2F12D017BFAC
- Inflator: 0x6c14b7aB60d81d5F734B873126493de2E52d3eee
- NounsArt: 0x6544bC8A0dE6ECe429F14840BA74611cA5098A92
NounsArt.sol and NounsDescriptorV3.sol were changed to allow the NounsDAO executor to update existing traits with new artwork. A suite of updateTrait and updateTraitFromPointer functions were added to NounsDescriptorV3.sol along with corresponding functions on NounsArt.sol. The motivation is to allow traits that are not displaying correct to be fixed via a governance proposal.
The code first underwent manual review. This was to identify all flows across the nounsDAO suite that would be altered by the proposed changes. Only cosmetic flows were altered and changes present no risk to core functionality such as minting or governance. Secondary manual review was completed to evaluate any structural security concerns raised by these changes. The functions added were derived from the existing functions used to add additional traits. State-altering functions such as addPage were reused rather than remade, which is a security best practice. The worst security outcomes stem from incorrect trait counts. The addition of the trait length checks before and after updating completely eliminate this form of input error. Contracts were subsequently fork tested to confirm desired functionality and access control were working as intended.
No security concerns have been raised by this review