search

code-423n4 / 2022-09-party-findings

2 stars 0 forks source link

PartyGovernance.disableEmergencyExecute() permanently disables emergencyExecute() #275

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L800-L802

Vulnerability details

Impact

PartyGovernance.disableEmergencyExecute() will permanently disable PartyGovernance.emergencyExecute() as there is no other means to toggle emergencyExecuteDisabled back to false. This means emergencyExecute() can never be called once

Proof of Concept

https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L800-L802

Tools Used

Manual review

Recommended Mitigation Steps

The logic should allow toggling the emergencyExecuteDisabled state

merklejerk commented 1 year ago

That's the intended design.

HardlyDifficult commented 1 year ago

This is a design choice - there are pros and cons to allowing it to flip back but that's not explored in this report so closing as invalid.