search

code-423n4 / 2022-09-party-findings

2 stars 0 forks source link

Arbitrary contract call allows attacker to steal from user's wallet #241

Closed code423n4 closed 1 year ago

code423n4 commented 2 years ago

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/CrowdfundFactory.sol#L124

Vulnerability details

Impact

In function _prepareGate , in the following line :

(bool s, bytes memory r) = address(gateKeeper).call(createGateCallData);

A call to an arbitrary contract(gateKeeper) with custom calldata createGateCallData is made in _prepareGate(), which means the contract gateKeeper can be an ERC20 or ERC721 token , and the calldata can be transferFrom from a previously approved user.

The wallet balances (for the amount up to the allowance limit) of the tokens that users approved or the ERC721 token that user approved to the contract can be stolen.

Proof of Concept

https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/CrowdfundFactory.sol#L124

Tools Used

Manual review

Recommended Mitigation Steps

Consider adding a whitelist for gateKeeper addresses.

merklejerk commented 1 year ago

CrowdfundFactory is not a target for approvals, nor will it ever hold any assets.

HardlyDifficult commented 1 year ago

Agree the factory shouldn't hold assets so this is not relevant. Closing as invalid.