Platform: Code4rena
Start Date: 31/10/2023
Pot Size: $60,500 USDC
Total HM: 9
Participants: 65
Period: 10 days
Judge: gzeon
Total Solo HM: 2
Id: 301
League: ETH
Rank: 21/65
Findings: 2
Award: $385.16
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Madalad
Also found by: 0xbepresent, 3docSec, Emmanuel, HChang26, P12473, Shaheen, adriro, ast3ros, bart1e, evmboi32, klau5, pontifex, rvierdiiev, sin1st3r__
199.934 USDC - $199.93
https://github.com/code-423n4/2023-10-party/blob/main/contracts/party/PartyGovernance.sol#L465 https://github.com/code-423n4/2023-10-party/blob/main/contracts/party/PartyGovernance.sol#L636-L638
Protocol's intended functionality is: If all hosts accept a passed proposal, then veto period for that proposal will be skipped, and Proposal will immediately be "Ready" for execution. Note that the requirement is "ALL HOSTS accept a proposal", but a single host can maliciously increase the numHostsAccepted count, and make it look like all hosts actually accepted the proposal, which will make the proposal ready for execution against the intention of the other hosts. This allows malicious proposals to skip veto period and immediately become ready for execution, which may negatively affect other hosts and the Party in general
Looking at LINE 636 of PartyGovernance#accept function, we can see that if the caller is a host, the numHostsAccepted count is incremented. this line prevents the host from voting twice on a proposal.
The problem is, the caller, who is a host can call PartyGovernance#abdicateHost to transfer host status to another address, and then vote again with that address, which would increment the numHostsAccepted count. He can repeat this numHosts times so that this check passes, and _getProposalStatus returns "Ready", which will allow execution of the proposal against the intention of the other hosts
Manual Review
Consider implementing the following: Snapshot the Hosts status each time abdicateHost is called, and instead of checking the current host status of msg.sender, the snapshotted host status as at proposalCreationTime should be used.
Invalid Validation
#0 - c4-pre-sort
2023-11-11T13:13:25Z
ydspa marked the issue as duplicate of #538
#1 - c4-pre-sort
2023-11-11T13:13:32Z
ydspa marked the issue as sufficient quality report
#2 - c4-judge
2023-11-19T13:31:50Z
gzeon-c4 marked the issue as satisfactory
🌟 Selected for report: 3docSec
Also found by: 0xMosh, 0xadrii, 0xmystery, Bauchibred, Ch_301, Emmanuel, J4X, Madalad, Pechenite, Shaheen, Topmark, TresDelinquentes, Walter, ZanyBonzy, adeolu, adriro, chainsnake, joaovwfreire, lsaudit, osmanozdemir1, sin1st3r__
185.2313 USDC - $185.23
https://github.com/code-423n4/2023-10-party/blob/main/contracts/party/PartyGovernanceNFT.sol#L479 https://github.com/code-423n4/2023-10-party/blob/main/contracts/party/PartyGovernanceNFT.sol#L486
Once a Party adds an authority, it can NEVER remove it even when an upgrade of Authorities is required. Instead, it depends on the authority to abdicate at will.
Authorities have "root user privileges", and while they are trusted, there will be scenarios where a Party might want to totally remove an authority and add a new one, (e.g. due to some needed functionality).
Parties have the ability to addAuthority through a proposal, but there is no corresponding function for the party to remove an authority. Instead, Parties rely on the authority to call the abdicateAuthority function to relinquish the authority role.
This means that an authority can be stuck with a Party forever, which is dangerous, given the amount of privileges it has
Manual Review
Just like the addAuthority function, there should be a removeAuthority function as well which should have the onlySelf modifier
Other
#0 - ydspa
2023-11-11T08:13:32Z
QA
#1 - c4-pre-sort
2023-11-11T08:13:38Z
ydspa marked the issue as insufficient quality report
#2 - c4-judge
2023-11-19T14:26:45Z
gzeon-c4 changed the severity to QA (Quality Assurance)