search

code-423n4 / 2022-09-party-findings

2 stars 0 forks source link

ETH will be locked in the crowdfund contracts #247

Closed code423n4 closed 1 year ago

code423n4 commented 2 years ago

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/Crowdfund.sol#L280-L298

Vulnerability details

Impact

Any ETH that is transferred to the crowdfund contract will be locked, due to it not being transferred to the new party contract. This can lead to users who donates to the crowdfund (by transferring ETH, which means without getting any governance votes) to lose their ETH, and for the ETH that was collected for an NFT that was given for free to be locked.

Tools Used

Manual audit

Recommended Mitigation Steps

Consider transferring all the ETH in the crowdfund contract to the party contract once created

merklejerk commented 1 year ago

This is not a supported interaction.

HardlyDifficult commented 1 year ago

This is a suggestion that could help prevent user error. Merging with the warden's QA report #261