merklejerk
commented
2 years ago The FE will only suggest curated market wrappers, which definitely exist.
Closed code423n4 closed 2 years ago
merklejerk
commented
2 years ago The FE will only suggest curated market wrappers, which definitely exist.
HardlyDifficult
commented
2 years ago This report does not seem to explore the potential impact or abuse here. Downgrading to QA and merging with #261
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/AuctionCrowdfund.sol#L178
Vulnerability details
Impact
As written in the documentation, the low-level functions call, delegatecall and staticcall return true as their first return value if the account called is non-existent, as part of the design of the EVM. Account existence must be checked prior to calling if needed. The low-level functions
callanddelegatecallare used in some places in the code and it can be problematic. For example, theAuctionCrowdfund.bidfunction delegate calls to the market wrapper, which can be non-existing and make the action succeed when it shouldn't.Tools Used
Manual audit
Recommended Mitigation Steps
Check that the address which the low level calls are performed to is a contract by checking that its code length is > 0.