In the function _createParty of contract Crowdfund.sol, when transferring the acquired NFTs to the new party, the transferFrom function is called instead of safeTransferFrom.
If the address(party_) is a contract address that doesn't support ERC721 tokens , the NFT could be frozen in the contract
As per the documentation of EIP-721:
A wallet/broker/auction application MUST implement the wallet interface if it will accept safe transfers.
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L301
Vulnerability details
Impact
In the function
_createParty
of contractCrowdfund.sol
, when transferring the acquired NFTs to the new party, thetransferFrom
function is called instead ofsafeTransferFrom
. If theaddress(party_)
is a contract address that doesn't support ERC721 tokens , the NFT could be frozen in the contractAs per the documentation of EIP-721:
Ref: https://eips.ethereum.org/EIPS/eip-721
Proof of Concept
In line https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L301,
Tools Used
Manual review
Recommended Mitigation Steps
Consider changing
transferFrom
tosafeTransferFrom
at line 301.