Party DAO - mahdikarimi's results

Protocol for group coordination.

General Information

Platform: Code4rena

Start Date: 31/10/2023

Pot Size: $60,500 USDC

Total HM: 9

Participants: 65

Period: 10 days

Judge: gzeon

Total Solo HM: 2

Id: 301

League: ETH

PartyDAO

Findings Distribution

Researcher Performance

Rank: 41/65

Findings: 1

Award: $117.57

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository PartyDAO

Findings Information

🌟 Selected for report: TresDelinquentes

Also found by: 0xadrii, 3docSec, klau5, leegh, mahdikarimi, minimalproxy, rvierdiiev

Labels

bug

2 (Med Risk)

downgraded by judge

partial-50

edited-by-warden

insufficient quality report

duplicate-418

Awards

117.566 USDC - $117.57

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/crowdfund/InitialETHCrowdfund.sol#L302 https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/party/PartyGovernanceNFT.sol#L194-L200

Vulnerability details

Vulnerability Details

When a user contributes in crowdfund for the first time a nft will be minted and voting power will be delegated to delegate address provided by contributor but if it's not first contribution , delegate address won't be changed so attacker can front-run user contribution and perform contributeFor with desired delegate address and a low contribution amount , since delegate is configured in previous transaction when contribute is performed the delegate address provided by attacker won't be changed so attacker can benefit from delegated voting power to optional address .

Impact

Attackers benefit from free voting power

Proof of Concept

1 - user calls contribute for the first time and provides an address to delegate voting power 2 - attacker front-runs contribute and calls contributeFor and provides his own address as delegate 3 - delegate is configured in previous transaction so contribute doesn't change delegate address 4 - attacker use delegated voting power

Tools Used

Manual Review

Recommended Mitigation Steps

prevent providing delegate address in contributeFor function

Assessed type

Other

#0 - ydspa
2023-11-12T08:57:32Z

Insufficient proof

Invalid

#1 - c4-pre-sort
2023-11-12T08:57:37Z

ydspa marked the issue as insufficient quality report

#2 - c4-judge
2023-11-19T15:06:44Z

gzeon-c4 changed the severity to 2 (Med Risk)

#3 - c4-judge
2023-11-19T15:06:57Z

gzeon-c4 marked the issue as duplicate of #418

#4 - c4-judge
2023-11-19T15:07:04Z

gzeon-c4 marked the issue as partial-50

#5 - c4-judge
2023-11-19T15:07:11Z

gzeon-c4 marked the issue as satisfactory

#6 - c4-judge
2023-11-19T15:07:28Z

gzeon-c4 marked the issue as partial-50

Party DAO - mahdikarimi's results

Protocol for group coordination.

General Information

Findings Distribution

Researcher Performance

External Links

[M-02] Attacker can manipulate user's delegate address - $117.57

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Vulnerability Details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - ydspa2023-11-12T08:57:32Z

#1 - c4-pre-sort2023-11-12T08:57:37Z

#2 - c4-judge2023-11-19T15:06:44Z

#3 - c4-judge2023-11-19T15:06:57Z

#4 - c4-judge2023-11-19T15:07:04Z

#5 - c4-judge2023-11-19T15:07:11Z

#6 - c4-judge2023-11-19T15:07:28Z

#0 - ydspa
2023-11-12T08:57:32Z

#1 - c4-pre-sort
2023-11-12T08:57:37Z

#2 - c4-judge
2023-11-19T15:06:44Z

#3 - c4-judge
2023-11-19T15:06:57Z

#4 - c4-judge
2023-11-19T15:07:04Z

#5 - c4-judge
2023-11-19T15:07:11Z

#6 - c4-judge
2023-11-19T15:07:28Z