Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

clems4ever - Multiple payments for one contributor but only one invoice required #242

Closed
github-actions bot opened this issue Feb 21, 2023 · 3 comments
Closed

clems4ever - Multiple payments for one contributor but only one invoice required #242

github-actions bot opened this issue Feb 21, 2023 · 3 comments
Labels
Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

clems4ever

medium

Multiple payments for one contributor but only one invoice required

Summary

In OngoingBounty, a claimId is a hash encoding the contributor and the PR and this id is used as a key for whether supporting documents have been provided or an invoice has been completed. However, if a contributor makes several contributions and get paid multiple times, I guess we should verify that there is a new invoice for each payment. However, this is not checked in the contract since the mapping are all overridden since multiple payouts would generate the same claimId.

Vulnerability Detail

function claimOngoingPayout(
        address _payoutAddress,
        bytes calldata _closerData
    ) external onlyClaimManager nonReentrant returns (address, uint256) {
        (, string memory claimant, , string memory claimantAsset) = abi.decode(
            _closerData,
            (address, string, address, string)
        );

        bytes32 _claimId = generateClaimId(claimant, claimantAsset);

        claimId[_claimId] = true; <================================================ same claim id for same user on same PR who makes 2 contributions or more and this makes overridden with the same value. Is it expected?
        claimIds.push(_claimId);

        _transferToken(payoutTokenAddress, payoutVolume, _payoutAddress);
        return (payoutTokenAddress, payoutVolume);
    }

Impact

Only one invoice required to get the payment instead of as many invoices as there are payments for the same developers on the same PR.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/OngoingBountyV1.sol#L107

Tool used

Manual Review

Recommendation

Include the number of payments in the encoding function for generating a unique claim id for every claim from the same user and PR in order to verify whether there is an invoice for each payment.
@github-actions github-actions bot added the Medium A valid Medium severity issue label Feb 21, 2023
@FlacoJones
Copy link

Will fix by removing Ongoing

@FlacoJones FlacoJones added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Feb 23, 2023
@FlacoJones
Copy link

OpenQDev/OpenQ-Contracts#112

@hrishibhat
Copy link
Contributor

Given the _claimId being unique for a given submission the above assumption seems to be incorrect.

@sherlock-admin sherlock-admin added Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue labels Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hrishibhat @FlacoJones @sherlock-admin