-
Notifications
You must be signed in to change notification settings - Fork 0
jkoppel - Post-contest refunds block tier winners in tiered percentage bounty from claiming funds #101
Comments
You've created a valid escalation for 43 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Escalate for 11 USDC. Agree with @jkoppel, this issue is clearly not a duplicate of #77 and is kinda related to what I wrote here so might be useful for context when re-judging: #505 (comment) My two cents are that this issue should be Medium, not High because post-contest refunders risk that claims will come first, or if their deposits are small enough, the bounty can be made whole by sending these tokens directly to the contract. So they have to make large enough deposits and hope their transactions will be mined earlier than claimants. |
You've created a valid escalation for 11 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Escalation accepted Valid duplicate of #266 |
This issue's escalations have been accepted! Contestants' payouts and scores will be updated according to the changes made on this issue. |
jkoppel
high
Post-contest refunds block tier winners in tiered percentage bounty from claiming funds
Summary
Withdrawing deposits after the close of a tiered percentage bounty competition makes it impossible for some winners to claim funds.
Vulnerability Detail
There is a tiered percentage bounty where first place gets 90%, second place gets 10%
The bounty has 10e18 tokens in it.
A griefer deposits 10 tokens. There are now 10e18 + 10 tokens in the account.
The contest ends. Second place claim his 1e18 + 1 tokens.
The first place winner tries to claim his 9e18 + 9 tokens, but the griefer front-runs him by withdrawing his 10 tokens. There are now only 9e18 tokens left in the account, and it is not possible to transfer 9e18+9 tokens out of the account.
First place winner is now unable to claim anything, as his tier is no longer sufficiently funded.
It is still possible for the other depositors to refund their deposits. However, there is a very difficult to attack that does this while also making it impossible to do refunds. In this attack, a variant of https://github.com/sherlock-audit/2023-02-openq-jkoppel/issues/3 , the griefer also spams a very large number of expired 1-token deposits so that
BountyCore.getLockedFunds
will require an amount of gas of almost, but not quite, the block gas limit. It is then still possible for the attacker to withdraw his 1 token and carry out the attack above. However, the attacker then callsextendDeposit
on many deposits, causing the if-branch ingetLockedFunds
to be entered, pushing the cost ofgetLockedFunds
over the limit, and making it impossible to do any more refunds. By doing this, the attacker can cause the remaining funds in the bounty to be lost for an arbitrarily long amount of time, say 1 billion years. Repeated deposit extensions can make the amount of time the funds are frozen truly infinite.Impact
This makes it possible for anyone to, at low difficulty and virtually no cost, block the last claimant from a tiered percentage bounty contest from claiming. It is also possible to block other claimants as well, at higher cost and equally-low difficulty. With much higher difficulty, it becomes possible to freeze funds in the bounty forever.
Code Snippet
From https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredPercentageBountyV1.sol#L115
This will fail if there is less than the claimed balance left in the contract, which will occur if any refunds have been done.
Note that
fundingTotals
is computed bycloseCompetition
above and is fixed from then on.Tool used
Manual Review
Recommendation
Make it so that, if not enough funds are left in the account, claimant gets whatever is left.
Duplicate of #266
The text was updated successfully, but these errors were encountered: