Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-04-PARTY-FINDINGS-ISSUES-46
HistoryApr 14, 2023 - 12:00 a.m.

VetoProposal#voteToVeto can be called repeatedly by same voter and be used to lock party

2023-04-1400:00:00
Code4rena
github.com
1
vetoproposal
lock
voting
vulnerability
party
governance
mitigation
JSON

Lines of code

Vulnerability details

Impact

Party can be locked due to not being able to pass and proposals

Proof of Concept

VetoProposal.sol#L37-L59

    uint96 votingPower = party.getVotingPowerAt(
        msg.sender,
        proposalValues.proposedTime - 1,
        snapIndex
    );
    uint96 newVotes = votes + votingPower;

    // Check if the vote to veto is passing
    PartyGovernance.GovernanceValues memory governanceValues = party.getGovernanceValues();
    if (
        _areVotesPassing(
            newVotes,
            governanceValues.totalVotingPower,
            governanceValues.passThresholdBps
        )
    ) {
        // If so, veto the proposal and clear the vote count
        party.veto(proposalId);
        delete vetoVotes[party][proposalId];
    } else {
        // If not, update the vote count
        vetoVotes[party][proposalId] = newVotes;
    }

When users are casting votes to veto a proposal it never tracks that the user has voted allowing the same user to vote repeatedly and veto any proposal they wish. This allows any party that uses this as the host to be locked by a single malicious user, because they are able to veto every single proposal.

Tools Used

Manual Review

Recommended Mitigation Steps

Add a mapping to track which users have voted

The text was updated successfully, but these errors were encountered:

All reactions

JSON