Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

yixxas - solvent() cannot be used on tiered bounty #301

Closed
github-actions bot opened this issue Feb 21, 2023 · 3 comments
Closed

yixxas - solvent() cannot be used on tiered bounty #301

github-actions bot opened this issue Feb 21, 2023 · 3 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

yixxas

medium

solvent() cannot be used on tiered bounty

Summary

As documented, solvent() should be usable to determine if a bounty has enough funds to cover payouts. However, the current implementation does not allow it to be used for tiered bounty.

/// @notice Determines whether or not an ongoing bounty or tiered bounty have enough funds to cover payouts

Vulnerability Detail

solvent() calls bounty.payoutVolume(). payoutVolume is however a variable only implemented in OngoingBountyStorage.sol. Only ongoing bounty will be able to utilise this function, contrary to what is documented.

function solvent(string calldata _bountyId) external view returns (bool) {
	IBounty bounty = getBounty(_bountyId);

	uint256 balance = bounty.getTokenBalance(bounty.payoutTokenAddress());
	return balance >= bounty.payoutVolume();
}

Impact

solvent() cannot be used on tiered bounty

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/OpenQ/Implementations/OpenQV1.sol#L408-L413

Tool used

Manual Review

Recommendation

Consider implementing payoutVolume for tiered bounty if we want to check its solvency with solvent().
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue labels Feb 21, 2023
This was referenced Feb 22, 2023
Closed
Closed
Closed
Closed
@FlacoJones FlacoJones added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Feb 23, 2023
@FlacoJones
Copy link

This is never called anywhere on or off chain actually. will fix by removing

@FlacoJones
Copy link

OpenQDev/OpenQ-Contracts#112

@hrishibhat
Copy link
Contributor

hrishibhat commented Mar 5, 2023
edited
Loading

Considering this issue low as this function is view only and not used anywhere.

@sherlock-admin sherlock-admin added Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue labels Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hrishibhat @FlacoJones @sherlock-admin