-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No hosts in PartyGovernance can block important governance functionalities #47
Comments
ydspa marked the issue as duplicate of #429 |
ydspa marked the issue as insufficient quality report |
gzeon-c4 marked the issue as unsatisfactory: |
I don't understand why it is invalid. I supplied a working POC with test code that is able to remove all hosts. Moreover, i'm wondering if developers will change "hosts management" in future implementations. If they will change this check in order to avoid deleting of all hosts, for sure my report had given a value for them. Thanks in advance |
I would like to add that primary issue, #429 was judge invalid due to "user error". |
Hosts are trusted addresses, host being able to abdicate themselves is an expected behavior. |
But there is no way to add new hosts. As #511, that was judged as QA due to the lack of abdicate function for authorities, the lack of adding function for hosts should be QA, isn't it? |
Ok, but according to #233, despite hosts are trusted address, sponsor accepted case where they are not fair behavior. However, i accept your judgement. Thank you |
Lines of code
https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/party/PartyGovernance.sol#L457-L472
https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/party/PartyGovernance.sol#L216-L220
https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/party/PartyGovernance.sol#L665-L681
Vulnerability details
Title
No hosts in PartyGovernance can block important governance functionalities
Links to affected code:
https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/party/PartyGovernance.sol#L457-L472
https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/party/PartyGovernance.sol#L216-L220
https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/party/PartyGovernance.sol#L665-L681
Impact
In PartyGovernance.sol, a host can abdicate its role to another address.
This function checks at the beginning if msg.sender is among the hosts, and, if not, reverts.
However, if newPartyHost is address(0x0), msg.sender will be removed in
isHost
mapping, and will not be a host anymore.Furthermore, the counter
numHosts
is decreased by one.We consider the case where a party is created with two hosts (like in tests).
If both of them abdicate to address(0x0), there will be no hosts for that party.
Despite it should be a desired behavior, we want to point out why it could be critical.
We start with contest's README:
Publicly Known Issues section
Additional Context
So, the host is the unique role that can perform veto operation and that can configure Rage Quit.
Both operations are not indispensable, but are very important in the governance of a party, especially if wrong values were set by the last host and then it abdicate to address(0x0): those values will not be changed anymore.
In fact, there are two critical issues in these operations:
As stated in Severity categorization,
We consider the lack of hosts a situation where part of governance protocol availability is impacted.
Furthermore, these functionalities were implemented in this way. This means that there is the possibility that a host abdicates to address(0x0), and so there is the possibility that a party with initial hosts, will not have hosts anymore.
Proof of Concept
There is a function that check host condition:
PartyGovernance.sol#L216-L220
This check is based on
isHost
mapping:PartyGovernance.sol#L205-L206
isHost
is only manipulated inPartyGovernance._initialize()
PartyGovernance.abdicateHost()
So, after initialization, only
abdicateHost()
can modifyisHost
mapping.Let's go deeper into this function:
PartyGovernance.sol#L455-L472
When
newPartyHost != address(0)
, newPartyHost is added intoisHost
, andmsg.sender
is removed. So, numHosts remains unchanged.However, when
newPartyHost == address(0)
,numHosts
is decreased by one,msg.sender
is removed and no host is added.Now, what if the last host calls this function with
newPartyHost == address(0)
?isHost
will have onlyaddress -> false
. This means that_assertHost()
will revert forever, and there will be no way to create a new host or change this behavior.Now,
_assertHost()
is used inside two functions:PartyGovernance.veto()
PartyGovernanceNFT.setRageQuit()
Both of these will be unavailable forever.
We implemented a test in order to remove all hosts:
Tools Used
Foundry and Visual ispection
Recommended Mitigation Steps
It should be better if Authority role has the ability of add new host.
Furthermore,
abdicateHost()
could be changed in order to remove an host only if it is not the last one:Assessed type
Governance
The text was updated successfully, but these errors were encountered: