Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

caventa - [Fund stuck] Fund could stuck if payment schedule number is less than the token address number in Percentage Tier Bounty #111

Closed
github-actions bot opened this issue Feb 21, 2023 · 3 comments
Closed

caventa - [Fund stuck] Fund could stuck if payment schedule number is less than the token address number in Percentage Tier Bounty #111

github-actions bot opened this issue Feb 21, 2023 · 3 comments
Labels
Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

caventa

high

[Fund stuck] Fund could stuck if payment schedule number is less than the token address number in Percentage Tier Bounty

Summary

The fund could stuck if the payment schedule number is less than the token address number in Percentage Tier Bounty

Vulnerability Detail

Let's make an example.

  1. Only 1 payout schedule set (Which is 100)
  2. 600 MockLink and 600 mockDai is deposited
  3. CloseCompetition
  4. Claim tiered for MockLink
  5. Claim tiered for mockDai (Failed!)

Written a test unit for this in TieredPercentageBounty.test.js

it.only('should transfer volume of tokenAddress balance based on payoutSchedule', async () => {
    await tieredContract.setPayoutSchedule([100]);
    const [, firstPlace] = await ethers.getSigners();
    await tieredContract.connect(depositManager).receiveFunds(owner.address, mockLink.address, 600, Constants.thirtyDays); // 600
    await tieredContract.connect(depositManager).receiveFunds(owner.address, mockDai.address, 600, Constants.thirtyDays); // 600

    await tieredContract.connect(claimManager).closeCompetition();
    await tieredContract.connect(claimManager).claimTiered(firstPlace.address, 0, mockLink.address);
    
    await expect(tieredContract.connect(claimManager).claimTiered(firstPlace.address, 1, mockDai.address)).to.be.revertedWith('0x32'); // unable to claim
    });
})

Impact

As so far the only way to withdraw coin is to claim it, mockDai could be stuck forever

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredPercentageBountyV1.sol#L104-L120
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredFixedBountyV1.sol#L91-L107

Tool used

Manual Review

Recommendation

Restrict the number of DISTINCT deposit token addresses should be the same as the payment schedule array length number
@github-actions github-actions bot added the High A valid High severity issue label Feb 21, 2023
@FlacoJones FlacoJones added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Feb 23, 2023
@FlacoJones
Copy link

Will fix by removing tiered percentage for now

@FlacoJones
Copy link

OpenQDev/OpenQ-Contracts#112

@IAm0x52
Copy link
Collaborator

IAm0x52 commented Mar 5, 2023

Invalid. Test only fails because the second claimTiered uses the wrong tier (1 instead of 0)

@sherlock-admin sherlock-admin added Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout and removed High A valid High severity issue labels Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hrishibhat @FlacoJones @sherlock-admin @IAm0x52