TokenDistributor.claimFee() is a public function that accepts user-controlled input. The function logic would allow the transfer of funds from the contract to a receiver based on the arbitrary input from a user. With this, anybody can claim fee by parsing arbitrary DistributionInfo input in the function argument
Alice calls TokenDistributor.claimFee() with her address as recipient and a custom DistributionInfo such that;
info.tokenType = TokenType.Native
info.token = NATIVE_TOKEN_ADDRESS
info.feeRecipient = alice
info.fee = 199.99 eth
Alice would receive 199.99 eth as the input would pass and the _transfer() called made to send eth to Alice as the receiver.
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L190-L222
Vulnerability details
Impact
TokenDistributor.claimFee() is a public function that accepts user-controlled input. The function logic would allow the transfer of funds from the contract to a receiver based on the arbitrary input from a user. With this, anybody can claim fee by parsing arbitrary
DistributionInfo
input in the function argumentProof of Concept
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L190-L222
Tools Used
Manual review
Recommended Mitigation Steps
Apply necessary access controls