Skip to content

Root Token Security#

Medium Risk

It is worth noting that the wrapper token and governance integrity are highly dependent on the rootToken being benevolent and bug-free. If a rootToken contract or owner account is compromised or otherwise malicious, critical governance mechanisms can be bypassed.

For instance, say a malicious root token owner dev mints new tokens (e.g. the BAYC contract has this ability). They can then accumulate votes and pass proposals to drain treasuries dictated by the governance mechanism.

Similarly, if the root token contract is malicious, it might make arbitrary calls to onERC721Received in ERC721Wrapper.sol so as to mint additional voting units to a given address.

function onERC721Received(
    address, /* operator */
    address from,
    uint256 tokenId,
    bytes calldata /* data */
) external virtual override returns (bytes4) {
        msg.sender == address(rootToken),
        "ERC721Wrapper::onERC721Received: NFT not root NFT"
    _mint(from, tokenId);
    _onTokenWrap(from, 1);

    return IERC721Receiver.onERC721Received.selector;


This list is not exhaustive:

  • Before implementing PVFDWrapperVotes / PVFDGovernance with a given root token, the token should be thoroughly audited and investigated. Preferably it should also be immutable and with weak administrative capabilities.
  • Although it is not in the base standard, many ERC721 tokens implement an immutable totalSupply function, you could limit the rootTokens to those that implement this, and use it to better validate against supply manipulation.
  • Ensure there is not any admin functionality around burning or otherwise transferring root token NFTs, this can lead to exploits in the wrapper governance.
  • Ensure there are no external calls in root token "transfer hooks"