Teeny Foggy Gecko
Medium
.s.sol files are scripts we are going to use as part of the deployment and upgrade on mainnet, so they are in scope in case there are any issues there was sent in the discord channel by one of the sponsors so these vulnerabilities are in scope. Will be marked as medium only because of the sponsor's statement even if it can very easily be mitigated.
DeployAuctionHouseV3StreamEscrowBase.s.sol :: runInternal() is used to deploy the new version of the protocol that supports the StreamEscrow functionalities.
NounsAuctionHouseV3 is a fork of NounsAuctionHouseV2 that integrates the StreamEscrow functionalities.
StreamEscrow smart contract wrongly is deployed with streamCreator_ argument as the already deployed NounsAuctionHouseV2 instead of NounsAuctionHouseV3 that is meant to be used in combination with StreamEscrow smart contract.
streamCreator_ argument is used in the allowedToCreateStream state variable. StreamEscrow :: createStream() uses allowedToCreateStream state variable as access control. NounsAuctionHouseV3 is the obvious address to be set as true in allowedToCreateStream, even if it can easily mitigated by executing StreamEscrow :: setAllowedToCreateStream() after deployment.
No response
No response
No response
No response
No response
There is no need for a coded PoC for this issue.
No response