Nouns auctions one NFT every day. The proceeds from the auctions are governed by the holders of the NFTs. Most Nouns contracts are upgradable and have already been upgraded in the past. An upgrade requires passing a proposal. The current upgrade introduces a new feature we call “Client Incentives”. The goal is to reward clients/frontends that allow users to interact with the Nouns contracts, e.g. bid on auctions, vote on proposals.
Scope
Contest Results
On what chains are the smart contracts going to be deployed?
mainnet
Which ERC20 tokens do you expect will interact with the smart contracts?
WETH is the token we're planning to use in this new client rewards upgrade.
Which ERC721 tokens do you expect will interact with the smart contracts?
Nouns
Do you plan to support ERC1155?
no
Which ERC777 tokens do you expect will interact with the smart contracts?
none
Are there any FEE-ON-TRANSFER tokens interacting with the smart contracts?
none
Are there any REBASING tokens interacting with the smart contracts?
none
Are the admins of the protocols your contracts integrate with (if any) TRUSTED or RESTRICTED?
TRUSTED
The only external protocols that Nouns DAO interacts with are tokens like stETH, rETH and USDC, but these additional tokens are not part of this audit's scope so we consider them TRUSTED.
Is the admin/owner of the protocol/contracts TRUSTED or RESTRICTED?
TRUSTED
Are there any additional protocol roles? If yes, please explain in detail:
In general, the DAO is owner/admin everywhere, including the new Rewards contract which pays out rewards to frontends that facilitate Nouns interactions onchain.
In Rewards, we added an admin role that can pause/unpause the contract in case an urgent issue arises, since the DAO takes many days to pass a proposal to remedy any such issue. The admin should not be able to withdraw any funds or alter any state other than pause/unpause.
Is the code/contract expected to comply with any EIPs? Are there specific assumptions around adhering to those EIPs that Watsons should be aware of?
no
Please list any known issues/acceptable risks that should not result in a valid finding.
We are aware of the risk of one or more parties acquiring a majority vote, and ask long as our code changes do not make that risk more likely, it seems wasteful to spend time on it.
Please provide links to previous audits (if any).
The last big DAO audit by spearbit: https://github.com/nounsDAO/nouns-monorepo/blob/d417586ae46f8d32801a3028c2c3496b119fc032/packages/nouns-contracts/audits/dao%20v3%20-%20spearbit%20audit%20report.pdf
The same version was audited again by codearena: https://code4rena.com/reports/2023-07-nounsdao
And we had a smaller audit in the past with Sherlock: https://audits.sherlock.xyz/contests/27
Are there any off-chain mechanisms or off-chain procedures for the protocol (keeper bots, input validation expectations, etc)?
none
In case of external protocol integrations, are the risks of external contracts pausing or executing an emergency withdrawal acceptable? If not, Watsons will submit issues related to these situations that can harm your protocol's functionality.
Yes
Do you expect to use any of the following tokens with non-standard behaviour with the smart contracts?
none
Add links to relevant protocol resources
Please read this document first to get context for the audit: https://docs.google.com/document/d/1fU7jxRqfISIYOwvBn6wmXDiawBiEONfFhooAljvJLEk/edit?usp=sharing
Total Rewards
Contest Pool
Lead Senior Watson
Judging Pool
Lead Judge
41,500 USDC
21,500 USDC
1,800 USDC
2,200 USDC
Status
Scope
Start Time
End Time
Finished
2,817 nSLOC
Mar 20, 2024, 3:00 PM
Apr 1, 2024, 3:00 PM