code-423n4 / 2022-09-party-findings

2 stars 0 forks source link

Users can contribute to the implementation contract #244

Closed code423n4 closed 1 year ago

code423n4 commented 2 years ago

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/Crowdfund.sol#L191

Vulnerability details

Impact

The AuctionCrowdfund.contribute misses the onlyDelegateCall, which can lead to users contributing the implementation contract, changing its state and getting their ETH locked.

Tools Used

Manual audit

Recommended Mitigation Steps

Add the onlyDelegateCall modifier to the AuctionCrowdfund.contribute function.

merklejerk commented 1 year ago

Will add onlyDelegateCall there.

0xble commented 1 year ago

Resolved: https://github.com/PartyDAO/partybidV2/pull/136

HardlyDifficult commented 1 year ago

Interacting with the implementation directly is a way to protect against user error. Downgrading to QA and merging with #261