8 matches found
PartyGovernance contract cannot accept Eth
Lines of code Vulnerability details Impact The PartyGovernance contract does not have payable in it fallback back function which is the main context of allowing a contract to accept Ether or else it will revert or lost forever if receive. Proof of Concept Lack of payable fallback function is...
User loss his delegated voting power after delegation to another user.
Lines of code Vulnerability details Vulnerability Details When a user delegate voting power to another user, his previous voting power from delegation has been ignored at getVotingPowerAt since in case isDelegated is true getVotingPowerAt returns 0. Impact Delegated voting power cannot be utilize...
Stale preciousListHash state variable permanently prevents a party from executing non-unanimous arbitrary call proposals and poses a high security risk.
Lines of code Vulnerability details Overview of the execute function in PartyGovernance Before diving into the details of the vulnerability, I need to explain how the execute function works in the PartyGovernance.sol contract. The execute is the function responsible for executing a proposal after...
Voters can call VetoProposal.voteToVeto() as many times as they like.
Lines of code Vulnerability details Impact Each voter can veto a proposal if they want by calling voteToVeto several times to pass the passThresholdBps. Proof of Concept Every voter shouldn't vote several times, otherwise, the voting system will be broken. But voteToVeto doesn't check the already...
VetoProposal: proposals cannot be vetoed in all states in which it should be possible to veto proposals
Lines of code Vulnerability details Impact The VetoProposal contract allows to veto proposals with the voteToVeto function. The proposal can only be vetoed when it is in the Voting state, otherwise the voteToVeto function reverts. The issue is that the Voting state is not the only state in which ...
Front-running of accept call
Lines of code Vulnerability details Description There is accept and veto functions in the PartyGovernance contract. The functions accepts the proposalId accept function also accepts snapIndex, which does not contain any information about the proposal itself. As a result, transactions of users can...
A majority attack can easily bypass Zora auction stage in OpenseaProposal and steal the NFT from the party.
Lines of code Vulnerability details Description The PartyGovernance system has many defenses in place to protect against a majority holder stealing the NFT. One of the main protections is that before listing the NFT on Opensea for a proposal-supplied price, it must first try to be auctioned off o...
No control for the future Airdrop
Lines of code Vulnerability details Impact You can't control the airdrop NFT on this contract PartyGovernance.sol. You can only control the preciousListHash Proof of Concept The execute is check that the precious list preciousTokenIds and preciousTokens is valid or not if...