When the contract gets the free NFT and there are no contributors, other users can contribute immediately and get full control of that NFT #143
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/AuctionCrowdfund.sol#L233-L242
Vulnerability details
Impact
In the finalize function of the AuctionCrowdfund contract, if the contract gets the free NFT and there are no contributors, the comment says " Nobody ever contributed. The NFT is effectively burned."
But in reality, the current status is Active because the transaction was reverted. Other users can immediately call the contribute and finalize functions to get full control of the NFT.
This can also happen in BuyCrowdfundBase.
Proof of Concept
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/AuctionCrowdfund.sol#L233-L242
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/crowdfund/BuyCrowdfundBase.sol#L122-L126
Tools Used
None
Recommended Mitigation Steps
If the contract expects the NFT to be frozen in this case, it should set the state to Finalized instead of revert the transaction.
The text was updated successfully, but these errors were encountered: