Party DAO - D1r3Wolf's results

Lines of code

https://github.com/code-423n4/2023-10-party/blob/main/contracts/crowdfund/ETHCrowdfundBase.sol#L247-L258

Vulnerability details

Impact

A case is missing in the minContribution check, which will cause the DoS for crowd fund finalization and party creation. A case where, totalContributions is near minTotalContributions, and (maxTotalContributions - totalContributions) < minContribution. In that case, even though users are willing to give fund, no one can contribute and even host cant do anything. They just need to wait for expiration and create the initiate the new crowdfund, which disrupts the totalContribution. The next time might not acheive the same contribution again.

Proof of Concept

Lets take, minTotalContributions = 90, maxTotalContributions = 100. minContribution = 15, maxContribution = 25. Now the totalContributions = 89, just 1 less than to minTotalContributions.

Since the amount is getting reduced based on the (maxTotalContributions - totalContributions), the amount can't exceed the 11 (100 -89). But the minContribution check will fail since 11 < 15. It will create DoS

Recommended Mitigation Steps

Modify the minContribution check, or else add a constraint of minContribution <= (maxTotalContributions - minContribution) at initiation to avoid this deadlock.

Assessed type

DoS