c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-party/blob/main/contracts/party/PartyGovernanceNFT.sol#L486 https://github.com/code-423n4/2023-10-party/blob/main/contracts/authorities/AddPartyCardsAuthority.sol#L7

Vulnerability details

Impact

Parties have an abdicateAuthority function which relinquishes authority role for msg.sender. The issue is AddPartyCardsAuthority does not have a mechanism to call the abdicateAuthority function, making the function useless as it is never called

Proof of Concept

Parties create proposals to add an Authority. These authorities have privileges like altering votingPower of a user or totalVotingPower of a party.

Parties have an abdicateAuthority function, which is expected to be called by an authority to give up the authority role:

    function abdicateAuthority() external {
        _assertAuthority();
        delete isAuthority[msg.sender];

        emit AuthorityRemoved(msg.sender);
    }

The problem is that, the current implementations of authorities(AddPartyCardsAuthority), which protocol created(and is expected to be used by most parties), does not have a way to call the abdicateAuthority function.

Tools Used

Manual Review

Recommended Mitigation Steps

AddPartyCardsAuthority and future authorities should have a function that can call Party's abdicateAuthority function. The function should only be callable by the Party.
An Authority abstract contract should be created, which should contain all essential functions that an authority should have. All authority contracts should inherit this abstract contract and implement the essential functions.

Assessed type

Context

ydspa commented 1 year ago

QA: L

c4-pre-sort commented 1 year ago

ydspa marked the issue as insufficient quality report

c4-judge commented 1 year ago

gzeon-c4 changed the severity to QA (Quality Assurance)

Emedudu commented 1 year ago

Parties have an abdicateAuthority function, which is meant to be called by an authority to give up the authority role.

The AddPartyCardsAuthority, which is the only protocol developed authority, and will be used by most Parties, lack a means to call Party#abdicateAuthority. This means that AddPartyCardsAuthority will be stuck with a Party forever, even when the developers intend that a Party should be able to switch authorities

This clearly shows that AddPartyCardsAuthority does not work as intended, as Party#abdicateAuthority is never called.

Therefore, I believe this should be of MEDIUM severity

Please have a look, thanks.

gzeon-c4 commented 1 year ago

AddPartyCardsAuthority is out-of-scope meant to invalidate this but its tricky to validate a qa issue with the c4 ui

code-423n4 / 2023-10-party-findings

AddPartyCardsAuthority has no function to `abdicateAuthority` #511