Robert - Claims Can Be DoSed By Refunding After Competition Close

[github-actions]

Robert

high

Claims Can Be DoSed By Refunding After Competition Close

Summary

Because FundingTotals in certain bounties are decided when a competition closes and are never adjusted after that, if a refund occurs after the competition closes and before all claims have paid out, the remaining claims will all fail.

A malicious actor can force this to happen by submitting a large amount of tokens with a 1 second expiry, having that amount saved as the funding total, then withdrawing everything. Even the smallest tiers will then be "owed" far more tokens than are actually in the bounty.

Vulnerability Detail

1. Tiered competition closes with $X in funding totals.
2. Tier 1 receives 50%, so $X/2. They claim those funds.
3. Tier 2 is supposed to also receive 50%, but a funder refunds 10% of the funds before they claim.
4. Now the tier 2 winner is owed $X/2 but the contract only has $X/2 - $X/10.
5. Claim reverts and can never be withdrawn.

A more malicious version would include depositing 100x the amount of tokens in there, having tier 1 and 2 owed 50% of that, then after withdraw no one can claim anything and the tokens are stuck (especially if refund is DoSed another way).

Impact

The impact is high because it will stop all claims from occurring.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredPercentageBountyV1.sol#L116

Is where funding totals are set without them being reset anywhere.

Tool used

Manual Review

Recommendation

A couple possibilities for recommendation. The primary one would be for funding totals to adjust if refunds occur. Another would be to disallow refunds after a competition closes.

Duplicate of #266