Majority could steal ETH from sale using ArbitraryCallsProposal.sol before anyone calls PartyGovernance.sol#distribute #191
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/proposals/ListOnOpenseaProposal.sol#L350-L373
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/proposals/ListOnZoraProposal.sol#L164-L204
Vulnerability details
Impact
ETH from sale can be stolen
Proof of Concept
When the sale of an NFT is completed, the ETH is sent to the party contract where it can be distributed. A malicious majority could create a ArbitraryCallsProposal.sol that sends them all the ETH in the contract. If no one notices what they are doing before the proposal goes through, they can use the call to steal all the ETH from the sale.
Tools Used
Manual Review
Recommended Mitigation Steps
Distribute should be called by the proposal during the final step to guarantee that the funds are distributed. This protects users because only one proposal can be active at once and before they could create the proposal to give themselves all the ETH, they would have to call the final step and distribute it instead.
The text was updated successfully, but these errors were encountered: