-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Finalizing crowdfunds would never work in some instances due to how minTotalContributions
& maxTotalContributions
are initialized
#262
Comments
ydspa marked the issue as duplicate of #552 |
ydspa marked the issue as insufficient quality report |
gzeon-c4 marked the issue as unsatisfactory: |
gzeon-c4 marked the issue as unsatisfactory: |
HI @gzeon-c4. Thanks for judging, but I’d really appreciate you having another review on the validity of this report, unlike other duplicates of #522, this report explains the same issue as #119 that was deemed
The fact of this being a valid duplicate of #119, can be seen right from the first section of this report, i.e impact section of this report.
This report also referenced the initialization logic and talked about the bug since they (min/maxContributions) can be set the same, with a code snippet attached.
The recommended mitigation step of this report is exactly same with the one referenced above(#119), stating that Note that the warden that submitted #119 also submitted #127 (which is a valid duplicate of #522) cause where as bug cases are very similar, the former has an edge case attached to it and should stand on its own, unlike the latter which imo should be valid but OOS, reason below. About #522 and it's dups, bug is valid and exists, but I believe they are OOS since that particular bug case is considered a known issue due to the comments in code, and all the batches of reports rightfully duplicated to it(#522) only provide a fix to the known issue, which as far as I know on Code4rena, this does not count to be a valid Coming back to this issue & #119, breezing through the pre-sorted batch of #522, I assume only this report and #539 talks about this specific bug case and hint on making Thank you for your time. |
Hey @Bauchibred Your issue reverts because of the The #119 (comment) states that the attack still works when This issue is more similar to #453 than #119 Cheers. |
gzeon-c4 marked the issue as unsatisfactory: |
gzeon-c4 marked the issue as satisfactory |
Lines of code
https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/crowdfund/ETHCrowdfundBase.sol#L140-L172
https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/crowdfund/ETHCrowdfundBase.sol#L196-L273
Vulnerability details
Impact
Bug case has already being explained here, with protocol's work around for this being that a party's host call can just call
finalize()
after contributions are more thanminTotalContributions
Issue is that this workaround would not always work and could cause some crowdfunds to be stuck in the
active
state until it expires and ends up beinglost
.Proof of Concept
First, take a look at ETHCrowdfundBase.sol#L196-L273
In short, as referenced from the full code block and code comments, the current implementation of
ETHCrowdfundBase._processContribution()
contract inadvertently leads to a scenario where the contract fails to reach themaxTotalContributions
due to maybe a highminContribution
, specifically this occurs when the remaining balance needed to achievemaxTotalContributions
is less than theminContribution
.In such a case, new contributions cannot be made due to a reversion in
_processContribution()
, effectively causing the crowdfund to stall and can only be finalized if the party host calls onfinalize()
, but this can only happen if the total contribution is alreadyminTotalContributions
or more, but there are no assurances that this would always be the case, because while initializing we can see thatminTotalContributions
is allowed to be set equal tomaxTotalContributions
.The initialization logic can be seen here:
The above check only prevents
minTotalContributions
from being greater thanmaxTotalContributions
, but does not consider the scenario whereminTotalContributions
equalsmaxTotalContributions
, which leads to the deadlock in the crowdfund.In this logic, if the remaining contribution it takes to reach
minTotalContributions
in this case,maxTotalContributions
too since they are equal is below theminContribution
value, then_processContribution()
would always revert with theBelowMinimumContributionsError()
error, failing to achieve themaxTotalContributions
goal, which halts the crowdfunding process when close to its goal.Tool Used
Manual Review
Recommended Mitigation Steps
As long as
minContribution
is going to be used, thenminTotalContributions != maxTotalContributions
should be an invariant that's never broken, i.e., the initialization logic should be replaced with this:Another subtle hint is to ensure that the difference between
minTotalContributions
&maxTotalContributions
is always greater thanminContribution
, that way we close all the edge cases where this could happen.Assessed type
Context
The text was updated successfully, but these errors were encountered: