Moloch DAO Pool Audit Report
Nomic Labs second audit report on Moloch DAO
--
The Nomic Labs team conducted an audit of the MolochPool contract on version 721443849c8a6d7e64daf6d2910bc4681d42ac06. We found the contract to be short, minimalistic functionally, and with no security issues.
Audit Results
Low severity issues
[MOL2-L01] A newly deployed MolochPool
can be activated by an attacker
Deploying a MolochPool
contract requires two transactions. The first one deploys the contract, and the second one activates it.
An attacker could detect a MolochPool being deployed and call MolochPool#activate
before the person performing the deployment, setting arbitrary parameters.
The only impact of this attack is that the deployer would be forced to redeploy the MolochPool
contract.
Other comments and recommendations
[MOL2-O01] Most require calls don’t have a revert
reason
Most require calls in the MolochPool
contract don’t have revert
reasons. Consider adding them before the deployment, as they would make working with it easier.
[MOL2-O02] State-modifying actions don’t emit events
Consider adding events to the MolochPool
contract to make monitoring it easier.
[MOL2-O03] MolochPool#currentProposalIndex
’s name can be confusing
This variable name seems to indicate that it keeps track of the last synced proposal but contains the index of the next proposal to sync instead. A better name could be nextProposalIndex
.