Eth can be stucked in contract when NFT was gifted to party (AuctionCrowdfund.sol)

[code423n4]

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/AuctionCrowdfund.sol#L234-L242

Vulnerability details

Impact

We can call function finalize(), which will claim the NFT if we won. After claiming the NFT, function will check if contract is the owner of NFT or not.

if (lastBid_ == 0) {
    // The NFT was gifted to us. Everyone who contributed wins.
    lastBid_ = totalContributions;
    if (lastBid_ == 0) {
        // Nobody ever contributed. The NFT is effectively burned.
        revert NoContributionsError();
    }
    lastBid = lastBid_;
}

In some rare cases, the NFT can be gifted to us for some reasons. If that case happens, lastBid_ will be set equal to totalContribution, which means everyone who contributed to this crowedfund wins. This will make anyone who want to call function burn() to get eth gain nothing (cause everyone wins), morever there is no function for hosts to withdraw the remaining fund, all eths which was contributed to this crowdfund will be freezed in the contract forever.

In the same sense, this vulnerability can happen with contract BuyCrowdfundBase when callValue = 0 https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/BuyCrowdfundBase.sol#L122

Tools Used

Manual review

Recommended Mitigation Steps

Consider to add one more variable to handle this special case. This variable will let user (or host) get eth back when nft was gifted.

[merklejerk]

Duplicate of #92

[HardlyDifficult]

This report does not seem to provide insights beyond what was mentioned in the known issues. Closing as invalid.