Skip to content

fix: security vulnerabilities in DAO contracts (Options vesting, Treasury allowance, Payroll tokens)#10

Open
B0dre wants to merge 1 commit into
CodeforDAO:mainfrom
B0dre:fix/vulnerability-patches
Open

fix: security vulnerabilities in DAO contracts (Options vesting, Treasury allowance, Payroll tokens)#10
B0dre wants to merge 1 commit into
CodeforDAO:mainfrom
B0dre:fix/vulnerability-patches

Conversation

@B0dre

@B0dre B0dre commented Jun 2, 2026

Copy link
Copy Markdown

Summary

Four security fixes across the CodeforDAO contract suite, with verified Proofs of Concept.

🔴 HIGH: Options vesting calculation (Options.sol)

  • vestedAmount() used _balance + released() as totalAllocation
  • Bug: _balance decreases with each release, corrupting future vesting math
  • Fix: each VestingDetail uses its own .amount as totalAllocation

🟡 MEDIUM: Treasury allowance overflow (Treasury.sol)

  • investInERC20() transferred full ERC20 allowance instead of threshold
  • Bug: user approving 1000 tokens for a 100-threshold lost all 1000
  • Fix: transferFrom now uses _threshold instead of _allowance

🟡 MEDIUM: Payroll ERC20 pull support (Payroll.sol)

  • _beforeExecute() passed empty token arrays to pullPayments()
  • Bug: payroll could never pull ERC20 tokens from Treasury
  • Fix: aggregates token addresses/amounts from all payroll items

🟢 LOW: Module unanimous consensus (Module.sol)

  • schedule() required ALL operators to confirm
  • Single inactive operator blocks all module operations
  • Fix: majority-based consensus (len/2)+1

🟢 LOW: Solidity version mismatch (Governor.sol)

  • Fixed: unified pragma to ^0.8.0

Testing

  • forge build: clean
  • forge test: 39 passed / 6 failed (all pre-existing test bugs)
  • All PoC tests included verify the fixes

fix: security vulnerabilities in DAO contracts
4c43518 
## Summary
Four security fixes across the CodeforDAO contract suite, with verified PoCs.

## Changes

### HIGH: Options vesting calculation (Options.sol)
- vestedAmount() used _balance + released() as totalAllocation
- Bug: _balance decreases with each release, corrupting future vesting
- Fix: each VestingDetail uses its own .amount as totalAllocation

### MEDIUM: Treasury allowance overflow (Treasury.sol)
- investInERC20() transferred full ERC20 allowance instead of threshold
- Bug: user approving 1000 tokens for 100-threshold lost all 1000
- Fix: transferFrom uses _threshold instead of _allowance

### MEDIUM: Payroll ERC20 support (Payroll.sol)
- _beforeExecute() passed empty token arrays to pullPayments()
- Bug: payroll could never pull ERC20 tokens from Treasury
- Fix: aggregates token addresses/amounts from all payroll items

### LOW: Module unanimous consensus (Module.sol)
- schedule() required ALL operators to confirm
- Bug: single inactive operator blocks all module operations
- Fix: majority-based consensus ((len/2)+1)

### LOW: Solidity version mismatch (Governor.sol)
- Governor.sol used ^0.8.12, rest used ^0.8.0
- Fix: unified to ^0.8.0

## Testing
- forge build: clean
- forge test: 39 passed / 6 failed (all 6 are pre-existing test bugs)
- All PoC tests: PASS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@B0dre