Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

cccz - Unable to claim NFT in OngoingBounty #211

Closed
github-actions bot opened this issue Feb 21, 2023 · 0 comments
Closed

cccz - Unable to claim NFT in OngoingBounty #211

github-actions bot opened this issue Feb 21, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Non-Reward This issue will not receive a payout

Comments

@github-actions
Copy link

github-actions bot commented Feb 21, 2023
edited
Loading

cccz

medium

Unable to claim NFT in OngoingBounty

Summary

ClaimManagerV1._claimOngoingBounty could not claim NFT in OngoingBounty.

Vulnerability Detail

OngoingBountyV1.receiveNft allows users to deposit NFT into OngoingBounty.

    function receiveNft(
        address _sender,
        address _tokenAddress,
        uint256 _tokenId,
        uint256 _expiration,
        bytes calldata
    ) external onlyDepositManager nonReentrant returns (bytes32) {
        require(
            nftDeposits.length < nftDepositLimit,
            Errors.NFT_DEPOSIT_LIMIT_REACHED
        );
        require(_expiration > 0, Errors.EXPIRATION_NOT_GREATER_THAN_ZERO);
        _receiveNft(_tokenAddress, _sender, _tokenId);

but ClaimManagerV1._claimOngoingBounty cannot claim the NFT in OngoingBounty

    function _claimOngoingBounty(
        IOngoingBounty _bounty,
        address _closer,
        bytes calldata _closerData
    ) internal {
        _eligibleToClaimOngoingBounty(_bounty, _closer, _closerData);

        (address tokenAddress, uint256 volume) = _bounty.claimOngoingPayout(
            _closer,
            _closerData
        );

Unlike this, the other three types of bounty all allow the winner to claim NFT

Impact

The winner cannot claim the NFT deposited by other users

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/OngoingBountyV1.sol#L133-L146
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L173-L197

Tool used

Manual Review

Recommendation

Consider specifying the claimant when depositing NFTs in the Ongoing Bounty and allowing the user corresponding to that claimant to claim the NFTs

Duplicate of #261
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue labels Feb 21, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Mar 7, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Reward A payout will be made for this issue labels Mar 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin