search

code-423n4 / 2022-09-party-findings

2 stars 0 forks source link

Locked ether #237

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/Party.sol#L47

Vulnerability details

Impact

In contract Party.sol there is a receive() declared. This means that the contract can accept eth payments. But there is no function defined , to withdraw those sent ether. So if a user accidently sent ether to the contract, the ether would be locked, as there is no function to withdraw the ether

Proof of Concept

https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/Party.sol#L47

Tools Used

Manual review

Recommended Mitigation Steps

Add a withdraw function to withdraw the sent ether or define a revert function inside the receive function if the feature is not required.

merklejerk commented 2 years ago

ETH is not locked up because a distribution can be created at any time.

HardlyDifficult commented 2 years ago

Agree with sponsor. Closing as invalid.