The AuctionCrowdfund.contribute misses the onlyDelegateCall, which can lead to users contributing the implementation contract, changing its state and getting their ETH locked.
Tools Used
Manual audit
Recommended Mitigation Steps
Add the onlyDelegateCall modifier to the AuctionCrowdfund.contribute function.
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/Crowdfund.sol#L191
Vulnerability details
Impact
The
AuctionCrowdfund.contribute
misses theonlyDelegateCall
, which can lead to users contributing the implementation contract, changing its state and getting their ETH locked.Tools Used
Manual audit
Recommended Mitigation Steps
Add the
onlyDelegateCall
modifier to theAuctionCrowdfund.contribute
function.