unforgiven - during migration, attacker can sell his NFT tokens in L1 after migration snapshot and then receive it in L2 after migration #144
Comments
|
There is almost no secondary market for any of the DAOs currently deployed on L1. We think this situation is pretty unlikely |
|
Situation is unlikely, but possible to allow potential unintended profit from token sales due to migration, so I believe this issue is definitely worth consideration. Based on the following comments here made in the recent notional contest + sherlock docs revolving around future issues, incline to keep as medium since this is certainly an unintended future situation not mentioned in the Docs/READ.ME
However, I really don't understand the stance of sherlock's rules revolving future type issues such as this and #203 since it is a topic of relative gray area. The difference between this issue and #203 is that in the latter, the code implementation already indicates that re-minting and burning logic is possible, whereas this is dependent on setting up of external secondary markets out of protocols control to maliciously act on. Seeking for further clarification here @Czar102, your help will be much appreciated. |
nevillehuang
added
Medium
|
I think this issue is invalid. If someone is proposing to buy a token and they pay for it after the migration, then they either see value in the token despite the loss of protocol functionality, or they made a mistake by failing to check that the token is still useful.
It't not true, they will receive a token on the L1. The buyer shouldn't assume that this token has utility without checking that a migration hasn't started ("actions are paused" per sponsor comment). Please let me know if my stance makes sense in the context of the protocol @nevillehuang. |
|
@Czar102 I agree with this stance, thanks for the review |
sherlock-admin2
changed the title
unforgiven
high
during migration, attacker can sell his NFT tokens in L1 after migration snapshot and then receive it in L2 after migration
Summary
DAO owner can migrate it to the L2, for migration a snapshot of token holder in L1 is taken then that snapshot will be send to L2 to deploy the new DAO in L2. the issue is that DAO Token contract is not pausable, so during the migration, attacker which owns DAO NFT, after the snapshot is taken, can sell his NFT in L1 and later receive his NFT in L2. This will cause loss to any user that buys or receive the NFTs during the migration. DAO NFT Token should have pause feature and DAO should be able to pause the token during the migration so no one could transfer it during the migration and after it.
Vulnerability Detail
This is the migration process:
attacker can exploit this process because during the migration and after the snapshot of NFT ownership is taken, DAO NFT token is transferrable and attacker can sell his token in L1 and later receive that token in L2. DAO owner can pause Auction, but that will only stop minting new tokens and it won't stop Token transfers.
warning users about the migration and saying that L1 NFT is going to be worthless is not gonna solve this issue, because there are a lot of DEX and on-chain marketplaces that attacker can sell its NFT during migration in L1.
Impact
users who buys or receives NFT tokens during migration in L1 will loss their funds.
Code Snippet
https://github.com/sherlock-audit/2023-09-nounsbuilder/blob/db232c649b425c36f5a93607c95cfdf0e5962b2f/nouns-protocol/src/deployers/L2MigrationDeployer.sol#L92-L123
https://github.com/sherlock-audit/2023-09-nounsbuilder/blob/db232c649b425c36f5a93607c95cfdf0e5962b2f/nouns-protocol/src/auction/Auction.sol#L362-L367
Tool used
Manual Review
Recommendation
add pause feature to DAO NFT Token, and allow owner to pause the DAO Token during the migration.
The text was updated successfully, but these errors were encountered: