A call to an arbitrary contract(gateKeeper) with custom calldata createGateCallData is made in _prepareGate(), which means the contract gateKeeper can be an ERC20 or ERC721 token , and the calldata can be transferFrom from a previously approved user.
The wallet balances (for the amount up to the allowance limit) of the tokens that users approved or the ERC721 token that user approved to the contract can be stolen.
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/CrowdfundFactory.sol#L124
Vulnerability details
Impact
In function
_prepareGate
, in the following line :A call to an arbitrary contract(
gateKeeper
) with custom calldatacreateGateCallData
is made in_prepareGate()
, which means the contractgateKeeper
can be an ERC20 or ERC721 token , and the calldata can betransferFrom
from a previously approved user.The wallet balances (for the amount up to the allowance limit) of the tokens that users approved or the ERC721 token that user approved to the contract can be stolen.
Proof of Concept
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/CrowdfundFactory.sol#L124
Tools Used
Manual review
Recommended Mitigation Steps
Consider adding a whitelist for
gateKeeper
addresses.