Buying non-ERC721 NFTs is not supported #142
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/BuyCrowdfundBase.sol#L128-L139
Vulnerability details
Impact
The _buy function of the BuyCrowdfundBase contract can call any function of any contract to buy any NFT (like cryptopunks), but since cryptopunks does not have the ownerOf function, this prevents the contract from buying non-ERC721 standard NFTs like cryptopunks even if it raises enough Eth.
And the AuctionCrowdfund contract does not support bidding for non-ERC721 standard NFTs.
Proof of Concept
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/BuyCrowdfundBase.sol#L128-L139
Tools Used
None
Recommended Mitigation Steps
Consider filtering for non-ERC721 compliant NFTs when creating BuyCrowdfund/CollectionBuyCrowdfund/AuctionCrowdfund contracts.
Or add support for non-ERC721-compliant NFTs
The text was updated successfully, but these errors were encountered: