Input validation for the fields within opts (like opts.name, opts.symbol, opts.voteDuration, etc.) is necessary to ensure they meet the expected criteria.

Lines of code Vulnerability details M3 - Input validation for the fields within opts like opts.name, opts.symbol, opts.voteDuration, etc. is necessary to ensure they meet the expected criteria. poc: solidity function createParty private returns Party requirebytesopts.name.length 0, "Party name is...

Fund Drainage Due to Reentrancy Vulnerability in Crowdfunding

Lines of code Vulnerability details Impact in the refund function, there is a problem, this function is reads the isAuthority state variable from the PartyGovernanceNFT contract after making an external call to the burn function of the same contract. The burn function in the PartyGovernanceNFT...

In batchRefund, adding a check for sufficient balance before attempting refunds could prevent potential failures.

Lines of code Vulnerability details M2 - In batchRefund, adding a check for sufficient balance before attempting refunds could prevent potential failures. poc: solidity function batchRefund external returns requireaddressthis.balance = totalRefundAmount, "Insufficient balance for refunds"; Assess...

Attacker can take over and hijack any and every asset of a party initialized with the governance value distributionsRequireVote set to false, through the utilization of a flash loan.

Lines of code Vulnerability details Pre-requisite knowledge & an overview of the features in question 1. The distributionsRequireVote flag: The distributionsRequireVote flag is a governance value flag set to false by default in the governance values. It determines whether or not a party member ca...

totalVotingPower is not being decreased in burn function in PartyGovernanceNFT.

Lines of code Vulnerability details Impact In PartyGovernanceNFT.burn function, burnAndUpdateVotingPower is being used which will reduce the votingPower from the burned nft and the mintedVotingPower. The totalVotingPower should be explicitly decreased in burn function which was missing here...

Arthimetic operation result in loss of voting power

Lines of code Vulnerability details Impact Carrying out calculation of voting power in function finalize based on division with value 1e4, then subtracting it with totalContributions and after that multiplying and dividing again will be a resultant that cause large precision error or even loss of...

User loss his delegated voting power after delegation to another user.

Lines of code Vulnerability details Vulnerability Details When a user delegate voting power to another user, his previous voting power from delegation has been ignored at getVotingPowerAt since in case isDelegated is true getVotingPowerAt returns 0. Impact Delegated voting power cannot be utilize...

The function _initProposalImpl should have access control checks to restrict who can initialize or change the implementation.

Lines of code Vulnerability details M4 - The function initProposalImpl should have access control checks to restrict who can initialize or change the implementation. poc: solidity function initProposalImplIProposalExecutionEngine impl, bytes memory initData internal onlyAuthorized Assessed type...

Signature malleability can occur by using EVM's ecrecover

Lines of code Vulnerability details Impact EVM's ecrecover is susceptible to signature malleability which allows replay attacks, check this. Proof of Concept OffChainSignatureValidator in its function isValidSignature checks for signature validity by using vulnerable method of ecrecover. address...

Incorrectly set totalVotingPower can allow users to pass arbitrary Proposals and steal all the parties NFTs

Lines of code Vulnerability details Bug Description The recent implementation update empowers the authority to decrease the totalVotingPower arbitrarily using the decreaseTotalVotingPower function. This authority-exclusive function allows the reduction of totalVotingPower by a specified amount. O...

Stale preciousListHash state variable permanently prevents a party from executing non-unanimous arbitrary call proposals and poses a high security risk.

Lines of code Vulnerability details Overview of the execute function in PartyGovernance Before diving into the details of the vulnerability, I need to explain how the execute function works in the PartyGovernance.sol contract. The execute is the function responsible for executing a proposal after...

A single host can vote on a proposal, then abdicate to another address and vote again to wrongly increase numHostsAccepted, and make a proposal ready for execution against the desire of the other hosts

Lines of code Vulnerability details Impact Protocol's intended functionality is: If all hosts accept a passed proposal, then veto period for that proposal will be skipped, and Proposal will immediately be "Ready" for execution. Note that the requirement is "ALL HOSTS accept a proposal", but a...

increaseTotalVotingPower() can be front-ran by an attacker with a call to rageQuit() in order to withdraw more assets than the attacker should be able to claim.

Lines of code Vulnerability details Overview of the vulnerability / PoC The function increaseTotalVotingPower in PartyGovernanceNFT does not have a front-running protection against rageQuit allowing a user to walk away with more assets than he should. An example of the attack 1. A party member...

No validation for the partyFactory contract !

Lines of code Vulnerability details Impact Malicious party contract can be deployed ! Proof of Concept Party contracts are created by the proxyFactory contract . In the initialize function , the proxyFactory contract address is provided by the user which may bring catastrophic consequences . This...

decreaseTotalVotingPower - If totalVotingPower becomes less than mintedVotingPower, the protocol crashes(even can lose assets)

Lines of code Vulnerability details Impact If totalVotingPower getSharedProposalStorage.governanceValues.totalVotingPower -= votingPower; 1. Tak...

Vulnerability in Token Withdrawal Function

Lines of code Vulnerability details Impact Flawed logic in token withdrawal function allows for selective withdrawal of high-value tokens and fails in single-token scenarios. // Sum up total amount of each token to withdraw. uint256 memory withdrawAmounts = new uint256; IERC20 prevToken; for...

In parties with more than one host, a single host can bypass the execution delay of a proposal by transferring his host status to other addresses of his.

Lines of code Vulnerability details The Vulnerability After a proposal has gathered enough votes to pass, it waits through a period defined in the governance values named executionDelay. That executionDelay period is bypassed and the proposal can be executed immediately if ALL hosts of the party...

A malicious contributor can increase voting power maliciously and eventually steal funds!

Lines of code Vulnerability details Impact Unlimited voting power for attacker and stealing of funds ! Proof of Concept All of the contribute functions uses msg.value to calculate the votingpower . For example , contribute function looks like this : function contribute uint256 tokenId, address...

wrong check in batchContributeFor always leads to revert and loose of ETH

Lines of code Vulnerability details Bug Description The batchContributeFor function allows a caller to contribute to a number of recipients or tokenIds on behalf of the owner of tokenIds. This can happen by having a for loop which calls contribute each time for a specific address. However, in the...

The 51% majority can hijack the party's precious tokens through an arbitrary call proposal if the AddPartyCardsAuthority contract is added as an authority in the party.

Lines of code Vulnerability details Pre-requisite knowledge & an overview of the features in question 1. The AddPartyCardsAuthority contract: The AddPartyCardsAuthority contract is a contract designed to be integrated into a Party and it has only one purpose, and it is to mint new party governanc...

Host(s) + majority can steal assets of minority+other hosts without any option for minority(+otherhosts) to ragequit.

Lines of code Vulnerability details Impact The ragequit functionality is put in place to protect the rights of the minority, who are not in support of a proposal, and allow them to withdraw their share of assets and exit the party. In some cases, minority will not have the opportunity to ragequit...

Vote power can be manipulated to propose and/or pass needed proposals

Lines of code Vulnerability details Impact The PartyGovernance contract is susceptible to vote manipulation, as an attacker could potentially acquire a substantial loan, even without collateral, within a single block before submitting a proposal. The voting process solely considers this particula...

In some cases the crowdfund cant be finalized because the minContribution amount check is after the amount is reduced

Lines of code Vulnerability details Because of a finding in the previous contest, the minContribution check is done after the amount is potentially reduced if refunding excess contribution. However this can be a problem if the maxTotalContributions - minTotalContributions is smaller than the...

DoS in Providing Voting power after contribution due to minting based on totalVotingPower in PartyGovernanceNFT.increaseVotingPower

Lines of code Vulnerability details Impact The PartyGovernanceNFT contract was designed in such a way that it wont mint, increaseVotingPower if totalMint mintedVotingPower wont cross the totalVotingPower, if crossing only the difference between them totalVotingPower - mintedVotingPower will be...

Send Ether will call instead of transfer

Lines of code Vulnerability details Impact transfer automatically forwards exactly 2300 gas to the receiving contract. This limitation can restrict smart contract's ability to interact with other contracts that require more gas for their operations like receiving eth, leading to failed transactio...

Hosts should agree before performing operations like setting ragequit, vetoing

Lines of code Vulnerability details Impact Since a Party can have multiple hosts, they should agree before vetoing or setting rageQuit, to prevent a single compromised host from having absolute decision, just as is done when hosts accept a proposal Proof of Concept In PartyGovernanceveto and...

Potential drain of EthCrowdFund contract

Lines of code Vulnerability details Impact In the emergencyExecute function in the EthCrowdFundBase contract, the external call msg.value is decided by the user input which could lead to draining of funds by compromised wallet or human error. Also there is no check if the value of amoutnEth is at...

No token whitelist leaves rageQuit() vulnerable to malicious ERC20 token contracts

Lines of code Vulnerability details A malicious actor can exploit the PartyGovernanceNFT.sol::rageQuit function by specifying a malicious IERC20 contract in the withdrawTokens array. The malicious contract could "donate" tokens to the proxy contract to pass the balance check here and when the...

Unbounded iteration over all index

Lines of code Vulnerability details Impact The transactions could fail if the array get too big and the transaction would consume more gas than the block limit. This will then result in a denial of service for the desired functionality and break core functionality. Proof of Concept Functions like...

Potential DDOS

Lines of code Vulnerability details Impact With three loops, and an On+ 0n2 complexity this could cause DOS with users not being able to call this functions Proof of Concept Tools Used Recommended Mitigation Steps Assessed type DoS --- The text was updated successfully, but these errors were...

Users can lose eth when contributing.

Lines of code Vulnerability details Impact When contributing in InitialETHCrowdfund, if minting adjusts the voting power for that user to cap it at totalVotingPower, the user does not get refunded the eth he lost. Proof of Concept PartyGovernanceNFTmint caps the mintedVotingPower at...

The batchRefund function could benefit from access control checks, such as ensuring only authorized users can perform batch refunds.

Lines of code Vulnerability details M1 - The batchRefund function could benefit from access control checks, such as ensuring only authorized users can perform batch refunds. poc: solidity function batchRefund external onlyAuthorized returns Assessed type Access Control --- The text was updated...

members can get less funds out than they should have in a rageQuit

Lines of code Vulnerability details Vulnerability details: Details: the function getVotingPowerShareOf in PartyGovernanceNft get's the voting power share of a tokenId and it does that by dividing the voting power that nft has by the totalVotingPower: function getVotingPowerShareOfuint256 tokenId...

funds stuck in crowdfund

Lines of code Vulnerability details Vulnerability details: Details: in ETHCrowdfundBase the crowdfund deployer can choose to implement fee's that are given to a feeAdress with a certain percentage of the crowdfund ETH. the fee splitting is happening both in finalize: function finalizeuint96...

All contributions can get locked in the Crowdfund contract, with no means to refund users or finalize.

Lines of code Vulnerability details Impact ETHCrowdfundBasefinalize assumes that all contributions are intact, but there is an emergencyExecute function that is capable of spending part of crowdfund eth. If as little as one wei gets spent, Users cannot get refunded, and the Crowdfund will not get...

wrong return value of totalVotingPower leads to break the OffChainSignatureValidator#isValidSignature() functionality

Lines of code Vulnerability details Bug Description in the OffChainSignatureValidatorisValidSignature function we returns the singerVotingPowerBPS in term of BPSpoints by mul it by 1000 and the totalVotingPower is returned by calling the party.getGovernanceValues.totalVotingPower which is normal...

Potential negative value of votingPowerByTokenId

Lines of code Vulnerability details Impact Based on the context and functionality being used in the PartyGovernanceNFT contract, an authority address can reduce voting power by specifying the degree of reduction but the negative difference wasn't considered. Proof of Concept IN this function...

Reentrancy on batchRefund making external call

Lines of code Vulnerability details Impact Reentrancy can occur when the refund function being called inside the batchRefund function allows external contract calls that can trigger the batchRefund function again before the previous execution is completed. Proof of Concept The batchRefund functio...

Users of ReraiseCrowdfund will potentially not receive appropriate voting power

Lines of code Vulnerability details Bug Description The recent code update introduces the functionality for authorities to reduce the total voting power by invoking the decreaseTotalVotingPower function of the party. However, this functionality can lead to issues when used in the time frame after...

anyone can burn the governance NFT

Lines of code Vulnerability details Impact Impact The impact of this finding centers on the PartyGovernanceNFT.sol smart contract, specifically within the context of the burnuint256 tokenId function. This critical function operates without any access control mechanisms in place. Consequently, it...

Increasing or decreasing totalVotingPower or individualVotingPower will affect current distributions for users that have not yet claimed.

Lines of code Vulnerability details Impact Altering the totalVotingPower or individualVotingPower will lead to unfair distributions among members that have not yet claimed Proof of Concept A member of a party can call PartyGovernancedistribute which will transfer the specified amount to...

In the _initialize function of the ETHCrowdfundBase contract, when minTotalContributions is equal to maxTotalContributions, crowdfund will never reach its minimum goal in some specific scenarios

Lines of code Vulnerability details Impact In the initialize function of the ETHCrowdfundBase contract, when minTotalContributions is equal to maxTotalContributions, crowdfund will never reach its minimum goal in some specific scenarios. The ETH of users who contribute to this crowdfund will be...

A single host can approve a proposal for all other hosts in the Party

Lines of code Vulnerability details Summary A single host can approve a proposal by transferring the host role to dummy accounts and voting again to increment the number of approvals. Impact When a proposal is created in a Party, the number of active hosts is snapshotted in the proposal state...

PartyGovernance contract cannot accept Eth

Lines of code Vulnerability details Impact The PartyGovernance contract does not have payable in it fallback back function which is the main context of allowing a contract to accept Ether or else it will revert or lost forever if receive. Proof of Concept Lack of payable fallback function is...

payable.transfer() call will result in loss of unused Ether

Lines of code Vulnerability details Impact batchContribute function carries out funding and transfer in batches by using the payable.transfer call. This is unsafe as transfer has hard coded gas budget and can fail when the user is a smart contract. This way programmatical usage of batchContribute...

decreaseVotingPower() can be front-ran by an attacker to claim an amount of assets from the TokenDistributor more than he should be able to claim or withdraw more assets than he should be able to claim through rageQuit()

Lines of code Vulnerability details Overview of the vulnerability / PoC The function decreaseVotingPower in PartyGovernanceNFT does not have a front-running protection against a user claiming his share of a distribution or a user ragequitting using a token which is going to get it's voting power...

Increasing of totalVotingPower during crowdfund can lead to users losing funds.

Lines of code Vulnerability details Bug Description The recent code update allows authorities to be declared at the start of the crowdfunding phase. This change allows authority-restricted functions to be called during the crowdfunding phase by the authorities added in the party constructor...

Upgraded Q -> 3 from #369 [1699544960870]

Judge has assessed an item in Issue 369 as 3 risk. The relevant finding follows: L-01 Controller can’t call setMaxTotalSupply due to lack of function to do it. --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #571 [1699543659773]

Judge has assessed an item in Issue 571 as 2 risk. The relevant finding follows: L-01 Internal accounting won’t work for rebase & elastic tokens --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #601 [1699543231321]

Judge has assessed an item in Issue 601 as 2 risk. The relevant finding follows: L-01 Interest rate constraints are not enforced when market interest rate is changed --- The text was updated successfully, but these errors were encountered: All reactions...