Platform: Code4rena
Start Date: 31/10/2023
Pot Size: $60,500 USDC
Total HM: 9
Participants: 65
Period: 10 days
Judge: gzeon
Total Solo HM: 2
Id: 301
League: ETH
Rank: 12/65
Findings: 1
Award: $716.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 3docSec
Also found by: Bauchibred, lsaudit, pep7siup
716.7564 USDC - $716.76
https://github.com/code-423n4/2023-10-party/tree/main/contracts/party/PartyGovernanceNFT.sol#L208 https://github.com/code-423n4/2023-10-party/tree/main/contracts/party/PartyGovernanceNFT.sol#L236 https://github.com/code-423n4/2023-10-party/tree/main/contracts/party/PartyGovernanceNFT.sol#L247 https://github.com/code-423n4/2023-10-party/tree/main/contracts/party/PartyGovernanceNFT.sol#L255 https://github.com/code-423n4/2023-10-party/blob/main/contracts/renderers/PartyNFTRenderer.sol#L294
PartyGovernanceNFT does not comply with ERC4906 specifications. Failing to uphold ERC4906 standards means that third-party platforms and services are not properly informed when the governance NFT metadata has been updated. This lack of compliance can lead to interoperability issues.
The PartyGovernance contract, as stated in README.md, should comply with ERC4906. As PartyGovernanceNFT inherits the PartyGovernance contract, all parent compliances should be passed on to the child contract.
// File: README.md 119:- The protocol is designed to comply with several Ethereum Improvement Proposals (EIPs). Following contracts should be in compliance: 120: - `PartyGovernance`: Should comply with `ERC4906` // <= FOUND 121: - `PartyGovernance`: Should comply with `ERC165` 122: - `PartyGovernanceNFT`: Should comply with `ERC2981` 123: - `PartyGovernanceNFT`: Should comply with `ERC721` 124: - `PartyGovernanceNFT`: Should comply with `ERC165` ...
That being said, some of PartyGovernanceNFT's functions do not adhere to ERC4906 standards, which require the emission of MetadataUpdate or BatchMetadataUpdate events for all actions that update token metadata. Specifically, the functions in question include increaseVotingPower, decreaseVotingPower, decreaseTotalVotingPower, and increaseTotalVotingPower. These functions affect the metadata, as demonstrated in the PartyNFTRenderer.tokenURI function below, where the generateVotingPowerPercentage is used to compute the up-to-date URI and the metadata embedded within it.
// File: contracts/renderers/PartyNFTRenderer.sol 157: function tokenURI(uint256 tokenId) external view returns (string memory) { ... 219: ? generateDescription(PartyGovernanceNFT(address(this)).name(), tokenId) // <= FOUND 223: } ... 286: function generateDescription( ... 292: string.concat( 293: "This membership represents ", 294: generateVotingPowerPercentage(tokenId), // <= FOUND 295: "% voting power in ", 296: partyName, 297: ". Head to ", 298: generateExternalURL(), ... 311: }
Manual Review
Emit the required MetadataUpdate or BatchMetadataUpdate events when metadata is updated in abovementioned functions.
Other
#0 - ydspa
2023-11-11T18:44:03Z
PartyNFTRenderer contract not in scope in this audit
Invalid: OOS
#1 - c4-pre-sort
2023-11-11T18:44:08Z
ydspa marked the issue as insufficient quality report
#2 - c4-judge
2023-11-19T17:08:16Z
gzeon-c4 marked the issue as unsatisfactory: Out of scope
#3 - hungdoo
2023-11-22T00:42:53Z
Hi @gzeon-c4,
Thanks for the judging effort. I would like to kindly request a thorough review of this report. I firmly believe that the reported issue falls well within the specified scope of the audit and should be graded the same as issue https://github.com/code-423n4/2023-10-party-findings/issues/340.
My reason is that the Scout's comment suggesting "PartyNFTRenderer contract not in scope in this audit" appears to be a misunderstanding. I want to clarify that the mention of the PartyNFTRenderer contract was solely intended as evidence supporting the necessity for ERC4906 event emittance within the PartyGovernanceNFT functions, where the root cause of the issues lies.
Thank you for your attention to this request.
#4 - c4-judge
2023-11-23T09:01:17Z
gzeon-c4 marked the issue as duplicate of #340
#5 - c4-judge
2023-11-23T09:01:22Z
gzeon-c4 marked the issue as satisfactory