This repository has been archived by the owner on May 26, 2023. It is now read-only.
unforgiven - attacker can cause claims of the atomicBounty and TieredPercentageBounty to revert if one of the whitelisted tokens revert when transferring 0 amount #249
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
Escalation Resolved
This issue's escalations have been approved/rejected
High
A valid High severity issue
Reward
A payout will be made for this issue
unforgiven
high
attacker can cause claims of the atomicBounty and TieredPercentageBounty to revert if one of the whitelisted tokens revert when transferring 0 amount
Summary
Some ERC20 tokens revert when transfer called with 0 amount. function
claimBalance()
in AtomicBountyV1 andclaimTiered()
in TieredPercentageBountyV1 would try to transfer 0 amount to winner if token balance of the contract was zero. attacker can use this and cause any bounty of those types to be unclaimable by making claim calls to revert because in claim code would loop through deposit tokens and try to transfer win amount which would revert on the 0 transfer of that specific token.Vulnerability Detail
Function
claimBounty()
in ClaimManagerV1 is used for claiming winner prize from Bounty contract. it calls appropriate claim method based on bounty type. the specific type bounty claim function would loop through bounty deposit tokens and call claim function of the bounty contract for that deposit token. for bounty types atomic and percentage tiered it callsclaimBalance()
andclaimTiered()
.This is
_claimAtomicBounty()
code which is called byclaimBounty()
:As you can see it loops through bounty deposit tokens and calls
bounty.claimBalance()
. This isclaimBalance()
code in AtomicBountyV1 contract:As you can see it calls
_transferToken()
with contract current balance in that token and if contract token balance was 0 code still calls transfer method. This is_transferToken()
and_transferERC20()
code:As you can see there is no check that transfer
volume
is not 0. the functionclaimTiered()
in TieredPercentageBountyV1 contract is similar and it would try to transfer 0 amount too when contract token balance is zero. there are some ERC20 tokens that reverts when transfer called with 0 amount. if one of those tokens were in whitelists then attacker can use that token to prevent any claim in every bounty by depositing small amount and then withdrawing that revert-on-zero-transfer token and then in any claim call to that bounty, code would loop through bounty deposit tokens and try to transfer win amount but when it reaches the attacker deposit token, because balance is zero, code would try to transfer 0 amount and the whole transaction would revert.these are the steps attacker need to perform:
the issue for percentage tiered bounty is similar.
Impact
attacker can cause winners to not receive their prizes as claim function would always revert.
Code Snippet
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/AtomicBountyV1.sol#L89-L98
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L181-L191
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L221-L228
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredPercentageBountyV1.sol#L104-L120
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L130-L148
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L230-L236
Tool used
Manual Review
Recommendation
don't call token transfer when the amount is 0. this check can be in claim function or lover level functions like
_transferERC20()
Duplicate of #267
The text was updated successfully, but these errors were encountered: