This repository has been archived by the owner on May 26, 2023. It is now read-only.
0x52 - Adversary can permanently break reward distribution for percentage tier bounties by funding bounty then refunding after competition closes #266
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
Has Duplicates
This was referenced Feb 22, 2023
|
Valid. Will fix by removing this contract for now. |
FlacoJones
added
Sponsor Confirmed
This was referenced Mar 6, 2023
This was referenced Mar 6, 2023
|
Lead Senior Watson comment on PR #112:
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
0x52
high
Adversary can permanently break reward distribution for percentage tier bounties by funding bounty then refunding after competition closes
Summary
When closeCompetition is called for TieredPercentageBountyV1 it takes a snapshot of the current token balance. Afterwards it uses this number to calculate the payouts. When a deposit is refunded after the competition is closed then the contract won't have enough funds to pay users.
To exploit this an adversary can make a deposit for a token that has a current balance of zero using a expiration of 1 second. After the competition closes they refund their deposit. Now when the contract tries to give payouts to the winners it will try to payout a token that it no longer has any of, causing it to revert anytime someone tries to claim a payout.
Vulnerability Detail
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredPercentageBountyV1.sol#L123-L136
TieredPercentageBountyV1#closeCompetition set the final fundingTotals for each token.
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredPercentageBountyV1.sol#L104-L120
For each token in tokenAddresses it will send the claimedBalance to the claimant. If a deposit is refunded after the competition is closed then the contract won't have enough funds to pay users.
An adversary can exploit this by making a deposit of 100 for some token with and _expiration of 1 (second). After the competition has been closed they can refund their deposit causing the contract to be short on funds. If the user makes a deposit with an ERC20 token payouts can be re-enabled by donating to make the contract whole. The user can permanently break payouts by using native MATIC as the deposit. All bounty contracts have their receive function disabled which means the contract can't just be funded, which permanently breaks payouts.
Submitting as high because it can be combined with methods for breaking refunds to lock user funds permanently.
Impact
Adversary can permanently break TieredPercentageBounty payouts
Code Snippet
Tool used
Manual Review
Recommendation
Since TieredPercentageBounty is designed to distribute all deposits present at closing, refunds should be disabled after the competition is closed.
The text was updated successfully, but these errors were encountered: