Majority could steal ETH from sale using ArbitraryCallsProposal.sol before anyone calls PartyGovernance.sol#distribute

[code423n4]

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/proposals/ListOnOpenseaProposal.sol#L350-L373
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/proposals/ListOnZoraProposal.sol#L164-L204

Vulnerability details

Impact

ETH from sale can be stolen

Proof of Concept

When the sale of an NFT is completed, the ETH is sent to the party contract where it can be distributed. A malicious majority could create a ArbitraryCallsProposal.sol that sends them all the ETH in the contract. If no one notices what they are doing before the proposal goes through, they can use the call to steal all the ETH from the sale.

Tools Used

Manual Review

Recommended Mitigation Steps

Distribute should be called by the proposal during the final step to guarantee that the funds are distributed. This protects users because only one proposal can be active at once and before they could create the proposal to give themselves all the ETH, they would have to call the final step and distribute it instead.

[merklejerk]

This risk can be mitigated by a party choosing vigilant hosts (since they can veto any proposal). Reasonable governance configs (e.g., executionDelay) can also mitigate this. We do feel it's important that a party be able to hold the ETH from the sale and do something productive with it, so we do not want to add an automatic distribution at the end of sales.

[HardlyDifficult]

This seems to be as designed and leans on governance to protect the party. The recommendation sacrifices capability. Reducing to Low risk for consideration.

Converting into a QA report for the warden.