Calling transferEth
function can revert if receiver
input corresponds to a contract that is unable to receive ETH through its receive
or fallback
function
#212
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/utils/LibAddress.sol#L8-L15
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L444-L489
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L371-L388
Vulnerability details
Impact
The following
transferEth
function is called when calling the_burn
or_transfer
function below. If thereceiver
input for thetransferEth
function corresponds to a contract, it is possible that the receiver contract does not, intentionally or unintentionally, implement thereceive
orfallback
function in a way that supports receiving ETH or that calling the receiver contract'sreceive
orfallback
function executes complicated logics that cost much gas, which could cause callingtransferEth
to revert. For example, when callingtransferEth
reverts, calling_burn
also reverts; this means that the receiver contract would not be able to get the voting power and receive the extra contribution it made after the crowdfunding finishes; yet, the receiver contract deserves these voting power and contribution refund. Hence, the receiver contract loses valuables that it deserves, which is unfair to the users who controls it.https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/utils/LibAddress.sol#L8-L15
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L444-L489
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L371-L388
Proof of Concept
Please add the following
error
and append the test insol-tests\crowdfund\BuyCrowdfund.t.sol
. This test will pass to demonstrate the described scenario.Tools Used
VSCode
Recommended Mitigation Steps
When calling the
transferEth
function, if the receiver contract is unable to receive ETH through itsreceive
orfallback
function, WETH can be used to deposit the corresponding ETH amount, and the deposited amount can be transferred to the receiver contract.The text was updated successfully, but these errors were encountered: