HackMD
PartyBid Report
Scope
This report was prepared by Alex Towle as a part of a security focused review conducted on the PartyBid system that was developed by PartyDAO.
The system that was reviewed includes the PartyBidFactory, the PartyBid logic contract, and the proxy infrastructure that will be used by the PartyBid system. This review analyzes the security properties exhibited by PartyBid instances that are deployed by a PartyBidFactory that is seeded with reasonable initial parameters. These initial parameters should refer to (1) a real WETH contract, (2) the canonical PartyDAO multisig, and (3) a real Fractional token vault contract. PartyBid instances that are deployed outside of the main PartyBidFactory flow are not covered by this review and should be treated with caution.
Overview
The intention of the PartyBid system is to allow users to pool ether to buy targeted NFTs. Contributing ether to the pool is permissionless, and anyone that has contributed to the pool can increase the bid of the PartyBid instance to the lowest winning bid at the time. Once the NFT auction is finalized, the claim process ensues. If the target is won, the target will be fractionalized and will be claimable by users that contributed ether that was actually used to buy the piece. Users that contributed surplus ether (the last contributions made) will have their ether refunded. The PartyDAO multisig receives a 5% fee on the purchase price of the target.
Findings
The following findings are evaluated on the OWASP scale which classifies software bugs by both severity and likelihood.
Critical
N/A
High
N/A
Medium
N/A
Low
1. PartyDAO Multisig MEV
Since the PartyDAO multisig receives the PartyBid fee in ether, this fee revenue is owned by members of the multisig that have a majority (provided that the multisig is governed in the conventional way). This fact could be used maliciously depending on the implementation of the multisig registered in the PartyBid contract. For the following attack to be possible, the multisig would need to be capable of executing several smart contract calls to several distinct contracts.
What follows is a sketch of how a malicious multisig could "steal" part of the fractionalized NFT. This sketch is simplified by the assumption that the multisig is selling the NFT, but a similar exploit can be executed with multisig and NFT owner collusion in the case that the multisig doesn't own the NFT:
- A malicious subset of the multisig with a majority vote sells a valuable NFT and a
PartyBidinstance accumulates enough value to win the piece. Before thePartyBidinstance is finalized, the malicious members of the multisig could submit a batched transaction that performs several actions. First, the multisig takes out a large flash loan in ether. Next the multisig bids up the piece being sold with part of the flash loan. The multisig then contributes the remaining amount of ether to thePartyBidinstance, increases thePartyBidbid, and finalizes the auction. Once the auction is finalized, the multisig will receive the ether from the auction (since it owns the NFT being sold) and the fee that was paid to thePartyDAOmultisig. Since the bid that was made by the multisig directly was refunded when the last bid was submitted by thePartyBidcontract, the multisig recovers (1) the purchase price of the NFT (minus any fee charged by the auction house), (2) thePartyBidfee, and (3) the ether used for the direct bid. Once all of this has been completed, the multisig will have the ether from the flash loan minus any fees that were paid to the auction house and a share of the fractionalized NFT. The remaining ether along with any surplus needed to cover auction fees and flash loan fees can be returned to repay the flash loan.
The assumption that the multisig will be able to repay the flash loan fees and auction fees is reasonable considering that some flash loan venues don't charge fees, some auctions may not charge fees (but could still be supported by the PartyBid system), and that the fractionalized NFT share that the multisig receives may be valuable and marketable. The likelihood of such an exploit is low; however, it is theoretically possible given the contract implementation and would have a medium to high impact on users.
*The PartyDAO multisig is assumed to be aligned with the success of the PartyBid project and will thus be hurt reputationally by the exploitation of MEV. This assumption reduces the severity of the vulnerability and explains why the likelihood is assumed to be "low".
Note
1. Price Manipulation Vulnerability
Since bidding is essentially permissionless, the owner of a given NFT can increase the bid of the PartyBid instance. This fact means that an NFT owner can always bid up their piece on the auction house so that the minimum bid is the maximum bid of the PartyBid instance, which will allow them to extract all of the ether from PartyBid instances. With this in mind, it should be assumed that PartyBid instances will either (1) lose the target auction or (2) spend all of the ether in the contract to win the auction (unless there simply isn't enough capital in the lending markets to make a competing bid). This issue is extremely easily exploitable due to the proliferation of flash loans.
This issue worsens the lack of price controls for early contributors since late contributors to a PartyBid instance that is already winning will likely be included in the auction price which will dilute the early contributors' share of the fractionalized NFT.
2. Check for Zora Auction Currency
There is no check to ensure that Zora auctions are settled in ETH. User funds do not appear to be at risk as the Zora AuctionHouse contract will revert if the specified bid amount is not provided in the target currency. This said, PartyBid instances that target Zora auctions that aren't settled in ether are a waste of time for PartyBid users.
To prevent such instances from being created by the PartyBidFactory, a check can be made in the ZoraMarketWrapper's auctionIdMatchesToken function that the auction's currency is ether (address 0).
3. Market Wrapper Verification
The ZoraMarketWrapper and FoundationMarketWrapper contracts were covered in this review and were found to be of high quality. Note (1) refers to a minor nitpick that was found during the review relating to the ZoraMarketWrapper.
As the code documents, the market wrapper implementation is quite security critical. Custom market wrappers have a high potential for malicious activity. While the ZoraMarketWrapper and FoundationMarketWrapper were implemented in a satisfactory way, users should take caution to ensure that a PartyDAO-reviewed market wrapper is used in any PartyBid contract that they are utilizing. PartyDAO has stated that their UI implementation will notify users when PartyBid instances use custom market wrapper implementations. This is a reasonable mitigation.
4. Auction Target Verification
Just like malicious market wrappers can result in a loss of funds, malicious ERC721 tokens can also result in loss of funds. Custom safeTransferFrom functions, custom ownerOf functions, and simple ERC721 backdoors (for example an onlyOwner withdrawal flow) could all result in a PartyBid instance's ether and NFT being taken by an artist.
Users should always ensure that the target of their PartyBid instance is a standard (or reasonably implemented) ERC721 token. This is left as a note because PartyDAO plans to add notifications in the UI for unknown tokens.
Conclusion
Overall, I found the contracts included in this review to be high-quality and well-tested. Provided that the PartyDAO multisig acts responsibly and that users understand the promise that the PartyBid provides, PartyBid auctions should proceed as PartyDAO intended. This said, it's important for users to keep in mind that participating in a PartyDAO means that all of their funds may be utilized to buy the target NFT and that users do not have the ability to set an upper limit on the price that they are willing to pay. Users should only contribute to PartyBid instances that target pieces that they really want to buy and should use caution when contributing to PartyBid instances that are already winning their auctions.
