mitigations: #306 (QA-2, QA-3, QA-5) (#354)

* implement QA-2, QA-3, and QA-5 suggestions

* fix `voteDuration` check

* fix tests

contracts/crowdfund/ETHCrowdfundBase.sol

@@ -66,6 +66,7 @@ abstract contract ETHCrowdfundBase is Implementation {
     error BelowMinimumContributionsError(uint96 contributions, uint96 minContributions);
     error AboveMaximumContributionsError(uint96 contributions, uint96 maxContributions);
     error InvalidExchangeRateError(uint16 exchangeRateBps);
+    error InvalidFundingSplitRecipient();
     error ContributingForExistingCardDisabledError();
     error ZeroVotingPowerError();
     error FundingSplitAlreadyPaidError();
@@ -167,6 +168,9 @@ abstract contract ETHCrowdfundBase is Implementation {
         // Set the funding split and its recipient.
         fundingSplitBps = opts.fundingSplitBps;
         fundingSplitRecipient = opts.fundingSplitRecipient;
+        if (opts.fundingSplitBps > 0 && opts.fundingSplitRecipient == address(0)) {
+            revert InvalidFundingSplitRecipient();
+        }
         // Set whether to disable contributing for existing card.
         disableContributingForExistingCard = opts.disableContributingForExistingCard;
     }

contracts/crowdfund/InitialETHCrowdfund.sol

@@ -156,10 +156,9 @@ contract InitialETHCrowdfund is ETHCrowdfundBase {
         gateKeeperId = crowdfundOpts.gateKeeperId;
     }
 
-    /// @notice Contribute ETH to this crowdfund on behalf of a contributor.
-    /// @param initialDelegate The address to which voting power will be delegated to
-    ///                        during the governance phase. This will be ignored
-    ///                        if recipient has already set a delegate.
+    /// @notice Contribute ETH to this crowdfund.
+    /// @param initialDelegate The address to which voting power will be
+    ///                        delegated to during the governance phase.
     /// @param gateData Data to pass to the gatekeeper to prove eligibility.
     /// @return votingPower The voting power the contributor receives for their
     ///                     contribution.
@@ -177,7 +176,7 @@ contract InitialETHCrowdfund is ETHCrowdfundBase {
             );
     }
 
-    /// @notice Contribute ETH to this crowdfund on behalf of a contributor.
+    /// @notice Contribute ETH to this crowdfund.
     /// @param tokenId The ID of the card the contribution is being made towards.
     /// @param initialDelegate The address to which voting power will be delegated to
     ///                        during the governance phase. This will be ignored

contracts/party/PartyGovernance.sol

@@ -184,6 +184,7 @@ abstract contract PartyGovernance is
     error InvalidNewHostError();
     error ProposalCannotBeCancelledYetError(uint40 currentTime, uint40 cancelTime);
     error InvalidBpsError(uint16 bps);
+    error InvalidGovernanceParameter(uint256 value);
     error DistributionsRequireVoteError();
     error PartyNotStartedError();
     error CannotRageQuitAndAcceptError();
@@ -291,6 +292,9 @@ abstract contract PartyGovernance is
             IProposalExecutionEngine(_GLOBALS.getAddress(LibGlobals.GLOBAL_PROPOSAL_ENGINE_IMPL)),
             abi.encode(proposalEngineOpts)
         );
+        if (govOpts.voteDuration < 1 hours) {
+            revert InvalidGovernanceParameter(govOpts.voteDuration);
+        }
         // Set the governance parameters.
         _getSharedProposalStorage().governanceValues = GovernanceValues({
             voteDuration: govOpts.voteDuration,

test/GasBenchmarks.t.sol

@@ -29,7 +29,7 @@ contract GasBenchmarks is SetupPartyHelper {
         opts.name = "PARTY";
         opts.symbol = "PR-T";
         opts.governance.hosts = hosts;
-        opts.governance.voteDuration = 99;
+        opts.governance.voteDuration = 1 hours;
         opts.governance.executionDelay = _EXECUTION_DELAY;
         opts.governance.passThresholdBps = 1000;
         opts.governance.totalVotingPower = 301;
@@ -51,7 +51,7 @@ contract GasBenchmarks is SetupPartyHelper {
         opts.name = "PARTY";
         opts.symbol = "PR-T";
         opts.governance.hosts = hosts;
-        opts.governance.voteDuration = 99;
+        opts.governance.voteDuration = 1 hours;
         opts.governance.executionDelay = _EXECUTION_DELAY;
         opts.governance.passThresholdBps = 1000;
         opts.governance.totalVotingPower = 301;
@@ -227,7 +227,7 @@ contract GasBenchmarks is SetupPartyHelper {
         partyOpts.name = "PARTY";
         partyOpts.symbol = "PR-T";
         partyOpts.governanceOpts.hosts = hosts;
-        partyOpts.governanceOpts.voteDuration = 99;
+        partyOpts.governanceOpts.voteDuration = 1 hours;
         partyOpts.governanceOpts.executionDelay = _EXECUTION_DELAY;
         partyOpts.governanceOpts.passThresholdBps = 1000;
         partyOpts.governanceOpts.partyFactory = partyFactory;

test/TestUsers.sol

@@ -119,7 +119,7 @@ contract PartyAdmin is Test {
             Party.PartyOptions({
                 governance: PartyGovernance.GovernanceOpts({
                     hosts: hosts,
-                    voteDuration: 99,
+                    voteDuration: 1 hours,
                     executionDelay: 300,
                     passThresholdBps: partyOpts.passThresholdBps,
                     totalVotingPower: partyOpts.totalVotingPower,

test/crowdfund/AtomicManualParty.t.sol

@@ -41,7 +41,7 @@ contract AtomicManualPartyTest is SetupPartyHelper {
         Party.PartyOptions memory opts;
         opts.name = "PARTY";
         opts.symbol = "PR-T";
-        opts.governance.voteDuration = 99;
+        opts.governance.voteDuration = 1 hours;
         opts.governance.executionDelay = _EXECUTION_DELAY;
         opts.governance.passThresholdBps = 1000;
         opts.governance.totalVotingPower = 180;
@@ -100,7 +100,7 @@ contract AtomicManualPartyTest is SetupPartyHelper {
         Party.PartyOptions memory opts;
         opts.name = "PARTY";
         opts.symbol = "PR-T";
-        opts.governance.voteDuration = 99;
+        opts.governance.voteDuration = 1 hours;
         opts.governance.executionDelay = _EXECUTION_DELAY;
         opts.governance.passThresholdBps = 1000;
         opts.governance.totalVotingPower = 180;
@@ -149,7 +149,7 @@ contract AtomicManualPartyTest is SetupPartyHelper {
         Party.PartyOptions memory opts;
         opts.name = "PARTY";
         opts.symbol = "PR-T";
-        opts.governance.voteDuration = 99;
+        opts.governance.voteDuration = 1 hours;
         opts.governance.executionDelay = _EXECUTION_DELAY;
         opts.governance.passThresholdBps = 1000;
         opts.governance.totalVotingPower = 180;
@@ -181,7 +181,7 @@ contract AtomicManualPartyTest is SetupPartyHelper {
         Party.PartyOptions memory opts;
         opts.name = "PARTY";
         opts.symbol = "PR-T";
-        opts.governance.voteDuration = 99;
+        opts.governance.voteDuration = 1 hours;
         opts.governance.executionDelay = _EXECUTION_DELAY;
         opts.governance.passThresholdBps = 1000;
         opts.governance.totalVotingPower = 180;
@@ -206,7 +206,7 @@ contract AtomicManualPartyTest is SetupPartyHelper {
         Party.PartyOptions memory opts;
         opts.name = "PARTY";
         opts.symbol = "PR-T";
-        opts.governance.voteDuration = 99;
+        opts.governance.voteDuration = 1 hours;
         opts.governance.executionDelay = _EXECUTION_DELAY;
         opts.governance.passThresholdBps = 1000;
         opts.governance.totalVotingPower = 260;
@@ -257,7 +257,7 @@ contract AtomicManualPartyTest is SetupPartyHelper {
         Party.PartyOptions memory opts;
         opts.name = "PARTY";
         opts.symbol = "PR-T";
-        opts.governance.voteDuration = 99;
+        opts.governance.voteDuration = 1 hours;
         opts.governance.executionDelay = _EXECUTION_DELAY;
         opts.governance.passThresholdBps = 1000;
         opts.governance.totalVotingPower = 180;
@@ -289,7 +289,7 @@ contract AtomicManualPartyTest is SetupPartyHelper {
         Party.PartyOptions memory opts;
         opts.name = "PARTY";
         opts.symbol = "PR-T";
-        opts.governance.voteDuration = 99;
+        opts.governance.voteDuration = 1 hours;
         opts.governance.executionDelay = _EXECUTION_DELAY;
         opts.governance.passThresholdBps = 1000;
         opts.governance.totalVotingPower = 180;

test/crowdfund/CrowdfundFactory.t.sol

@@ -135,7 +135,7 @@ contract CrowdfundFactoryTest is Test, TestUtils {
                     partyImpl: party,
                     partyFactory: partyFactory,
                     hosts: _toAddressArray(_randomAddress()),
-                    voteDuration: randomUint40,
+                    voteDuration: randomUint40 < 1 hours ? 1 hours : randomUint40,
                     executionDelay: randomUint40,
                     passThresholdBps: randomBps,
                     feeBps: randomBps,
@@ -223,7 +223,7 @@ contract CrowdfundFactoryTest is Test, TestUtils {
                     partyImpl: party,
                     partyFactory: partyFactory,
                     hosts: _toAddressArray(_randomAddress()),
-                    voteDuration: randomUint40,
+                    voteDuration: randomUint40 < 1 hours ? 1 hours : randomUint40,
                     executionDelay: randomUint40,
                     passThresholdBps: randomBps,
                     feeBps: randomBps,
@@ -434,7 +434,7 @@ contract CrowdfundFactoryTest is Test, TestUtils {
                 partyImpl: party,
                 partyFactory: partyFactory,
                 hosts: _toAddressArray(_randomAddress()),
-                voteDuration: randomUint40,
+                voteDuration: randomUint40 < 1 hours ? 1 hours : randomUint40,
                 executionDelay: randomUint40,
                 passThresholdBps: randomBps,
                 feeBps: randomBps,
@@ -510,7 +510,7 @@ contract CrowdfundFactoryTest is Test, TestUtils {
                     partyImpl: party,
                     partyFactory: partyFactory,
                     hosts: _toAddressArray(_randomAddress()),
-                    voteDuration: randomUint40,
+                    voteDuration: randomUint40 < 1 hours ? 1 hours : randomUint40,
                     executionDelay: randomUint40,
                     passThresholdBps: randomBps,
                     feeBps: randomBps,
@@ -589,7 +589,7 @@ contract CrowdfundFactoryTest is Test, TestUtils {
                     partyImpl: party,
                     partyFactory: partyFactory,
                     hosts: _toAddressArray(_randomAddress()),
-                    voteDuration: randomUint40,
+                    voteDuration: randomUint40 < 1 hours ? 1 hours : randomUint40,
                     executionDelay: randomUint40,
                     passThresholdBps: randomBps,
                     feeBps: randomBps,
@@ -696,7 +696,7 @@ contract CrowdfundFactoryTest is Test, TestUtils {
                 partyImpl: party,
                 partyFactory: partyFactory,
                 hosts: _toAddressArray(_randomAddress()),
-                voteDuration: randomUint40,
+                voteDuration: randomUint40 < 1 hours ? 1 hours : randomUint40,
                 executionDelay: randomUint40,
                 passThresholdBps: randomBps,
                 feeBps: randomBps,
@@ -800,7 +800,7 @@ contract CrowdfundFactoryTest is Test, TestUtils {
                 partyImpl: party,
                 partyFactory: partyFactory,
                 hosts: _toAddressArray(_randomAddress()),
-                voteDuration: randomUint40,
+                voteDuration: randomUint40 < 1 hours ? 1 hours : randomUint40,
                 executionDelay: randomUint40,
                 passThresholdBps: randomBps,
                 feeBps: randomBps,
@@ -967,7 +967,7 @@ contract CrowdfundFactoryTest is Test, TestUtils {
                     partyImpl: party,
                     partyFactory: partyFactory,
                     hosts: _toAddressArray(_randomAddress()),
-                    voteDuration: randomUint40,
+                    voteDuration: randomUint40 < 1 hours ? 1 hours : randomUint40,
                     executionDelay: randomUint40,
                     passThresholdBps: randomBps,
                     feeBps: randomBps,

test/party/PartyFactory.t.sol

@@ -76,7 +76,7 @@ contract PartyFactoryTest is Test, TestUtils {
         Party.PartyOptions memory opts = Party.PartyOptions({
             governance: PartyGovernance.GovernanceOpts({
                 hosts: _toAddressArray(_randomAddress()),
-                voteDuration: randomUint40,
+                voteDuration: randomUint40 < 1 hours ? 1 hours : randomUint40,
                 executionDelay: randomUint40,
                 passThresholdBps: randomBps,
                 totalVotingPower: randomUint96,
@@ -138,7 +138,7 @@ contract PartyFactoryTest is Test, TestUtils {
         Party.PartyOptions memory opts = Party.PartyOptions({
             governance: PartyGovernance.GovernanceOpts({
                 hosts: _toAddressArray(_randomAddress()),
-                voteDuration: randomUint40,
+                voteDuration: randomUint40 < 1 hours ? 1 hours : randomUint40,
                 executionDelay: randomUint40,
                 passThresholdBps: randomBps,
                 totalVotingPower: randomUint96,

test/party/PartyGovernance.t.sol

@@ -925,7 +925,7 @@ contract PartyGovernanceTest is Test, TestUtils {
 
         _assertProposalStatus(party, 1, PartyGovernance.ProposalStatus.Voting, 50);
 
-        vm.warp(block.timestamp + 98);
+        vm.warp(block.timestamp + 1 hours - 1);
         _assertProposalStatus(party, 1, PartyGovernance.ProposalStatus.Voting, 50);
 
         // ensure defeated

test/party/PartyGovernanceNFTUnit.sol

@@ -52,6 +52,7 @@ contract PartyGovernanceNFTUnitTest is TestUtils {
     ProposalStorage.ProposalEngineOpts defaultProposalEngineOpts;
 
     function _initGovernance() private {
+        defaultGovernanceOpts.voteDuration = 1 hours;
         defaultGovernanceOpts.totalVotingPower = 1e18;
         nft.initialize(
             "TEST",

test/party/PartyGovernanceUnit.t.sol

@@ -1485,7 +1485,7 @@ contract PartyGovernanceUnitTest is Test, TestUtils {
             uint256[] memory preciousTokenIds
         ) = _createPreciousTokens(2);
         defaultGovernanceOpts.executionDelay = 60;
-        defaultGovernanceOpts.voteDuration = 61;
+        defaultGovernanceOpts.voteDuration = 1 hours;
         TestablePartyGovernance gov = _createGovernance(
             false,
             100e18,

test/proposals/SetGovernanceParameterProposal.t.sol

@@ -14,7 +14,7 @@ contract SetGovernanceParameterProposalTest is SetupPartyHelper {
     event ProposalPassed(uint256 indexed proposalId);
 
     uint256 oldPassThresholdBps = 1000;
-    uint256 oldVoteDuration = 300;
+    uint256 oldVoteDuration = 1 hours;
     uint256 oldExecutionDelay = 99;
 
     function testGovernanceParameterProposal_multiple() public {

test/utils/SetupPartyHelper.sol

@@ -106,7 +106,7 @@ abstract contract SetupPartyHelper is TestUtils, ERC721Receiver {
         opts.name = "PARTY";
         opts.symbol = "PR-T";
         opts.governance.hosts = hosts;
-        opts.governance.voteDuration = 300;
+        opts.governance.voteDuration = 1 hours;
         opts.governance.executionDelay = _EXECUTION_DELAY;
         opts.governance.passThresholdBps = 1000;
         opts.proposalEngine.allowArbCallsToSpendPartyEth = true;