Closed code423n4 closed 1 year ago
Will add a revert if the call fails.
This is a fair recommendation. Downgrading since this is an admin function. It returns the value so they could check via a static call but of course there could be other transactions in the block making this not 100% reliable. They could also trace a tx afterwards. Merging with #250
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L795
Vulnerability details
Description
The
PartyGovernance.sol
contract implements anemergencyExecute()
function which allows the DAO to execute arbitrary functions in the event of an emergency providedonlyWhenEmergencyExecuteAllowed
is set totrue
. There is a definedbool
which stores the successful or failure execution of the low levelcall()
function against thetargetAddress
. This value is not checked regardless of if the call was successful or not.This was awarded a "Medium" in severity because there wouldn't be an immediate way of knowing if the call was successful or not.
Impact
Whilst the emergency action(s) must not be revoked for the call to
emergencyExecute()
, in the event of a failure the result of the call will go unnoticed if it isn't checked.Proof of Concept
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L795
Tools Used
Manual code inspection
Recommended Mitigation Steps
Consider applying a
require()
statement to check to see if the call was successful or not. If arequire()
statement is not desirable, at least consider emitting an event the result of the call to allow for off chain monitoring to immediately respond to the failure.