Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In case if user contributes with 0 amount, his delegate is not changed #73

Closed
c4-submissions opened this issue Nov 6, 2023 · 7 comments
Closed

In case if user contributes with 0 amount, his delegate is not changed #73

c4-submissions opened this issue Nov 6, 2023 · 7 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-418 insufficient quality report This report is not of sufficient quality partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%)

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-party/blob/main/contracts/crowdfund/InitialETHCrowdfund.sol#L297-L298

Vulnerability details

Proof of Concept

Using InitialETHCrowdfund._contribute, user can provide some funds together with delegate and receive some voting power instead and delegate it(together with all other user's voting power) to provided delegate.

It's possible that user will provide 0 amount. As comment states it can be used to change user's delegator. The problem is that this will change delegator only inside ETHCrowdfundBase, which is actually useless for the Party and then function will return. And real delegator in the Party will not be changed in this case.

As result, user will think that he had changed delegator, but in reality it will be same.

Impact

Delegator for user will not be changed.

Tools Used

VsCode

Recommended Mitigation Steps

In case if amount is 0, then change delegator for user.

if (amount == 0) {
    delegateVotingPower(delegate);
    return;
}

But be careful with using this by third parties. This should not be allowed or somehow restricted.

Assessed type

Error
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 6, 2023
c4-submissions added a commit that referenced this issue Nov 6, 2023
@c4-submissions
rvierdiiev issue #73
77197f8
@ydspa
Copy link

ydspa commented Nov 12, 2023

delegate here before return
https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/crowdfund/InitialETHCrowdfund.sol#L295C23-L295C43

invalid

@c4-pre-sort c4-pre-sort added the insufficient quality report This report is not of sufficient quality label Nov 12, 2023
@c4-pre-sort
Copy link

ydspa marked the issue as insufficient quality report

@c4-judge
Copy link
Contributor

gzeon-c4 marked the issue as unsatisfactory:
Invalid

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Nov 19, 2023
@rvierdiiev
Copy link

hello @gzeon-c4
would you consider this report as as duplicate of #311, however partially?
i acknowledge that i have missed whole problem and impact, however i find part of it

from primary issue

If voting power is 0, _contribute returns and new delegate is NOT propagated to party contract (InitialETHCrowdfund.sol#L298).

this is exactly what describes this report.

i would be happy to get partial 50 or even less if you think so.
thank you

@c4-judge
Copy link
Contributor

gzeon-c4 marked the issue as duplicate of #311

@c4-judge
Copy link
Contributor

gzeon-c4 marked the issue as partial-25

@c4-judge c4-judge added partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) duplicate-418 and removed unsatisfactory does not satisfy C4 submission criteria; not eligible for awards duplicate-311 labels Nov 23, 2023
@c4-judge
Copy link
Contributor

gzeon-c4 marked the issue as duplicate of #418

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-418 insufficient quality report This report is not of sufficient quality partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rvierdiiev @ydspa @c4-judge @c4-pre-sort @c4-submissions