Moloch DAO Pool Audit Report

Nomic Labs second audit report on Moloch DAO

Nomic Labs
Jun 24 · 2 min read

The Nomic Labs team conducted an audit of the MolochPool contract on version 721443849c8a6d7e64daf6d2910bc4681d42ac06. We found the contract to be short, minimalistic functionally, and with no security issues.

Audit Results

Low severity issues

[MOL2-L01] A newly deployed can be activated by an attacker
Deploying a contract requires two transactions. The first one deploys the contract, and the second one activates it.

An attacker could detect a MolochPool being deployed and call before the person performing the deployment, setting arbitrary parameters.

The only impact of this attack is that the deployer would be forced to redeploy the contract.

Other comments and recommendations

[MOL2-O01] Most require calls don’t have a reason
Most require calls in the contract don’t have reasons. Consider adding them before the deployment, as they would make working with it easier.

[MOL2-O02] State-modifying actions don’t emit events
Consider adding events to the contract to make monitoring it easier.

[MOL2-O03] ’s name can be confusing
This variable name seems to indicate that it keeps track of the last synced proposal but contains the index of the next proposal to sync instead. A better name could be .


Get a high-quality smart contract audit from Nomic Labs.

Nomic Labs

We design, build and audit decentralized systems.

Nomic Labs

Written by

We design, build and audit decentralized systems.

Nomic Labs

We design, build and audit decentralized systems.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade