Moloch DAO Pool Audit Report

Nomic Labs second audit report on Moloch DAO

The Nomic Labs team conducted an audit of the MolochPool contract on version 721443849c8a6d7e64daf6d2910bc4681d42ac06. We found the contract to be short, minimalistic functionally, and with no security issues.

Audit Results

Low severity issues

[MOL2-L01] A newly deployed MolochPool can be activated by an attacker
Deploying a MolochPool contract requires two transactions. The first one deploys the contract, and the second one activates it.

An attacker could detect a MolochPool being deployed and call MolochPool#activate before the person performing the deployment, setting arbitrary parameters.

The only impact of this attack is that the deployer would be forced to redeploy the MolochPool contract.

Other comments and recommendations

[MOL2-O01] Most require calls don’t have a revert reason
Most require calls in the MolochPool contract don’t have revert reasons. Consider adding them before the deployment, as they would make working with it easier.

[MOL2-O02] State-modifying actions don’t emit events
Consider adding events to the MolochPool contract to make monitoring it easier.

[MOL2-O03] MolochPool#currentProposalIndex’s name can be confusing
This variable name seems to indicate that it keeps track of the last synced proposal but contains the index of the next proposal to sync instead. A better name could be nextProposalIndex.