merklejerk
commented
1 year ago Duplicate of #18
Closed code423n4 closed 1 year ago
merklejerk
commented
1 year ago Duplicate of #18
HardlyDifficult
commented
1 year ago Merging with the warden's QA report #280
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L480
Vulnerability details
Impact
_burn()callsparty.mint()which then calls_mint(). This does not check that the receiver accepts ERC721 token transfers like_safeMint()does. If a user was not be able to receive their ERC721 token. They won't be able to move their voting power to new accounts and could cause other issues in the future.Tools Used
Manual Review
Recommended Mitigation Steps
Consider the use of
_safeMint()method instead of_mint(). On top of this add a reentrancy guard for_safeMint()does introduces a reentrancy opportunity. Alternatively, document the design decision to use_mint()and the associated risk for end users.