Last contributor in BuyCrowdfund can claim too much voting power #206
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
edited-by-warden
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/BuyCrowdfundBase.sol#L122
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/BuyCrowdfundBase.sol#L131
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/BuyCrowdfundBase.sol#L28-L30
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/party/PartyGovernance.sol#L1043-L1046
Vulnerability details
Impact
If
maximumPrice
is not set (set to zero) then the contributor who callsBuyCrowdfund.buy
can get unanimous voting power in the party. This allows him to execute proposals on the party withoutexecutionDelay
and avoid getting vetoed by hosts. I particular, he might push through a proposal to send the precious NFT to the attacker address.Even if
maximumPrice
is set, then the attacker can still unfairly getmaximumPrice - NFTPrice
of voting power.Proof of Concept
We will use this helper contract:
Add this test case to BuyCrowdfund.t.sol:
Apart from adding the above function, set
uint96 defaultMaxPrice = 0;
and copy_isUnanimousVotes
function from PartyGovernance.sol.attacker
andcontributor
are just random payable addresses.The main idea here is that we can lie to
BuyCrowdfund.buy
about how much ETH do we need to buy the NFT and we can make this inflated amount still count towards voting power.Tools Used
Foundry
Recommended Mitigation Steps
I have two (admittedly imperfect) ideas for mitigation:
onlyHost
modifier toBuyCrowdfund.buy
just like inCollectionBuyCrowdfund
maximumPrice
to zero (no max price) and make sure that users are warned about potential consequences of settingmaximumPrice
too much above the expected price of NFT.The text was updated successfully, but these errors were encountered: