Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

0x52 - When ongoing bounty is closed all deposits are still locked until expiration #256

Closed
github-actions bot opened this issue Feb 21, 2023 · 3 comments
Closed

0x52 - When ongoing bounty is closed all deposits are still locked until expiration #256

github-actions bot opened this issue Feb 21, 2023 · 3 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

0x52

medium

When ongoing bounty is closed all deposits are still locked until expiration

Summary

Ongoing Bounties can be closed but all deposits will still be stuck until they hit their expiration time. When an ongoing bounty is closed it is no longer possible to be claimed but deposits will still be stuck until expiration.

Vulnerability Detail

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/OpenQ/Implementations/OpenQV1.sol#L328-L351

OpenQV1#closeOngoing allows the creator of the bounty to close their ongoing bounty.

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L456-L465

Once an ongoing bounty has been closed, it can no longer be claimed. Since it can't be claimed anymore the bounty won't pay out any more funds. Deposits are still stuck until they expire. This needlessly locks the funds that can never be used.

Impact

Funds can be needlessly locked after ongoing bounties have been closed

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L152-L195

Tool used

Manual Review

Recommendation

Bypass the expiration check in DepositManagerV1#refundDeposit for ongoing bounties if the bounty is closed.
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue labels Feb 21, 2023
@github-actions github-actions bot mentioned this issue Feb 22, 2023
Closed
@FlacoJones
Copy link

This is intended

@FlacoJones FlacoJones added Sponsor Disputed The sponsor disputed this issue's validity Will Fix The sponsor confirmed this issue will be fixed labels Feb 23, 2023
@FlacoJones
Copy link

OpenQDev/OpenQ-Contracts#112

@hrishibhat
Copy link
Contributor

Considering this issue as low

This was referenced Mar 5, 2023
Closed
Closed
@sherlock-admin sherlock-admin added Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue labels Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hrishibhat @FlacoJones @sherlock-admin