Closed code423n4 closed 1 year ago
OK with risk. Prefer to guard against user error on FE. Host could also easily transfer to a dead address, that isn't nonzero.
This is a valid suggestion to help prevent user error. Downgrading to QA and merging with #250
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L458-L469
Vulnerability details
Description
There exists a functionality in the
PartyGovernance.sol
contract where a user has the ability to nominate and transfer thepartyHost
status to another address. This change of address is implemented instantaneously which is generally discouraged due to an error in the addresses.Impact
Whilst the contract does check for a zero address, if a partyHost were to transfer their status to another user and accidentally makes an error in the address they wish to assign, the action is irreversible.
Proof of Concept
Source: https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L458-L469
Tools Used
Manual code inspection
Recommended Mitigation Steps
Since this is a critical function of the contract, I recommend implementing this in the form of a two step change. This can be done by storing the new
partyHost
in a temporary variable in the form of a mapping along side the previous user (mapping(address => address)
). AconfirmAbdicate()
function can then be implemented to confirm these changes are correct.