rvierdiiev - TieredPercentageBountyV1.setPayoutSchedule can be called after bounty is closed

[github-actions]

rvierdiiev

high

TieredPercentageBountyV1.setPayoutSchedule can be called after bounty is closed

Summary

TieredPercentageBountyV1.setPayoutSchedule can be called after bounty is closed. This can change payment amount for claimers.

Vulnerability Detail

TieredPercentageBountyV1.setPayoutSchedule changes payout percentage for the tiers.
This function is called through the OpenQV1.setPayoutSchedule function and the problem that it can be called after bounty is closed.

TieredPercentageBountyV1 is closing after first claimer claims his payment.
In that moment, tiers payment should not be changed anymore.

However there is no any restriction for bounty issuer, so he can call OpenQV1.setPayoutSchedule any time he wants.
This is not only unfair, but also creates possibility that users will not receive payments in case of wrong reconfiguration.

Example:
1.In 100 USDC bounty, percentage are 1-60%, 2-40%.
2.First user let's it be tier 1 claims, so bounty is closing and balance is set to the fundingTotals variable.
He receives 60 tokens. Balance of contract is 40 tokens now.
3.Issuer calls OpenQV1.setPayoutSchedule and changes tiers to: 1-50%, 2-50%.
4.Second user claims, but tx reverts as contract doesn't control 50 tokens that should be sent, it has only 40 tokens according to previous payout schedule.

Impact

Ability for issuer to call OpenQV1.setPayoutSchedule after bounty is closed creates ability to broke payment system, also allows decreasing of payment.

Code Snippet

Provided above

Tool used

Manual Review

Recommendation

Do not allow to call OpenQV1.setPayoutSchedule when bounty is already closed.

Duplicate of #272