Users, don't have a Token for contribution but they can bypass this check easy
Proof of Concept
If the Crowdfund is private by using TokenGateKeeper.sol
The contributor can contribution and then send the NFT or ERC20 to another user address. So two users or more can send a contribution with the same Token TO BYPASS isAllowed()
Gatekeepers are out of scope and no assets would be at risk. However, this particular gatekeeper TokenGateKeeper is intended for casual use so we aren't concerned.
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L393 https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/gatekeepers/TokenGateKeeper.sol#L31-L38
Vulnerability details
Impact
Users, don't have a
Token
forcontribution
but they can bypass this check easyProof of Concept
If the
Crowdfund
is private by usingTokenGateKeeper.sol
Thecontributor
cancontribution
and then send theNFT
orERC20
to another user address. So two users or more can send acontribution
with the sameToken
TO BYPASSisAllowed()
Recommended Mitigation Steps
If it uses
NFT
you can track theid
s