Back to ast3ros's contests

Party DAO - ast3ros's results

Protocol for group coordination.

General Information

Platform: Code4rena

Start Date: 31/10/2023

Pot Size: $60,500 USDC

Total HM: 9

Participants: 65

Period: 10 days

Judge: gzeon

Total Solo HM: 2

Id: 301

League: ETH

PartyDAO

Findings Distribution

Researcher Performance

Rank: 32/65

Findings: 1

Award: $199.93

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPartyDAO

Findings Information

🌟 Selected for report: Madalad

Also found by: 0xbepresent, 3docSec, Emmanuel, HChang26, P12473, Shaheen, adriro, ast3ros, bart1e, evmboi32, klau5, pontifex, rvierdiiev, sin1st3r__

Awards

199.934 USDC - $199.93

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
upgraded by judge
duplicate-233

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-party/blob/06e6271b75a30f00ae2674e8c26f3eb9e89e75e5/contracts/party/PartyGovernance.sol#L1097-L1100

Vulnerability details

Impact

One host can allow a proposal to skip execution delay without all host accepted. The host role responsibility is defined below, it should now allow to bypass without full host consensus.

    Hosts: A role in the Party for trusted addresses that grants the ability to unilaterally veto proposals in the Party and configure Rage Quit. Each Host may or may not be a member (i.e. have non-zero voting power in the Party).

Proof of Concept

When getting the status of a proposal, there is a case when if all hosts vote for a proposal, the propsal can skip the execution delay and can be called right away.

    // If all hosts voted, skip execution delay
    if (_hostsAccepted(pv.numHosts, pv.numHostsAccepted)) {
        return ProposalStatus.Ready;
    }

https://github.com/code-423n4/2023-10-party/blob/06e6271b75a30f00ae2674e8c26f3eb9e89e75e5/contracts/party/PartyGovernance.sol#L1097-L1100

However, the check can be bypass and one host can allow the skip of execution instead of all hosts. In accept function, when an account vote for a proposal, the msg.sender is checked if it is a host, then it increases the number of host accepted by one.

    if (isHost[msg.sender]) {
        ++values.numHostsAccepted;
    }

There is function abdicateHost that allow transfering host status to another account. A host can just transfer to another if its address and call accept again, artificially inflating the count of accepting hosts, and bypass the check.

    /// @notice Transfer party host status to another.
    /// @param newPartyHost The address of the new host.
    function abdicateHost(address newPartyHost) external {
        _assertHost();
        // 0 is a special case burn address.
        if (newPartyHost != address(0)) {
            // Cannot transfer host status to an existing host.
            if (isHost[newPartyHost]) {
                revert InvalidNewHostError();
            }
            isHost[newPartyHost] = true;
        } else {
            // Burned the host status
            --numHosts;
        }
        isHost[msg.sender] = false;
        emit HostStatusTransferred(msg.sender, newPartyHost);
    }

Tools Used

Manual

Implement a snapshot mechanism of host status at the time of proposal creation to ensure that only the hosts at the time can contribute to the acceptance count, preventing manipulation by host role transfer.

Assessed type

Other

#0 - c4-pre-sort

2023-11-12T06:02:45Z

ydspa marked the issue as duplicate of #538

#1 - c4-pre-sort

2023-11-12T06:02:52Z

ydspa marked the issue as sufficient quality report

#2 - c4-judge

2023-11-19T13:31:32Z

gzeon-c4 changed the severity to 3 (High Risk)

#3 - c4-judge

2023-11-19T13:31:56Z

gzeon-c4 marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter