Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

kiki_dev - malicious or paused tokens can cause claiming to fail. #338

Closed
github-actions bot opened this issue Feb 21, 2023 · 0 comments
Closed

kiki_dev - malicious or paused tokens can cause claiming to fail. #338

github-actions bot opened this issue Feb 21, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@github-actions
Copy link

github-actions bot commented Feb 21, 2023
edited
Loading

kiki_dev

high

malicious or paused tokens can cause claiming to fail.

Summary

Atomic Bounty is meant to be a way for users to claim a varitey of assets. And depositFunds allows anyone to deposit either a whitelisted token a whitelisted NFT or a non-whitelisted token. the issue here is that a user can create a custom token that reverts whenever it is transfered to an address that is not that bounty. Or whenever the bad actor is not one of either the _to or _from. For example erc-777 tokens have before and after trnasfer hooks. A bad actor can add logic to the before trnasfer hook that would cause the transfer to fail.

This is bad for this protocol becasue atomic bounty is claimed in a loop. And one bad token can cause the entire claim to fail making it impossible for a claimant to recieve the rewards from the bounty that they earned.

Vulnerability Detail

Here is a scneario:

Alice creates a atomic bounty and she supplies 1000 $Gods and 1 eth
A bad actor submits a his own token $HALT
Bob completes the bounty and tries to claim
In the claim function it first attempts to transfer the $GODS, all goes well
Then it attempts to transer the 1 eth, all goes well
Then it tries to transfer $HALT
Bob being the bad actor that he is, he put special logic into the beforeTransfer hook that immedialty reverts.
Becasue this transfer reverted all previouse work in this transaction is undone.
The bounty is now unclaimable.

This can happen when there is one token or 100 as long as a malicouse token is allowed to be in the loop a bad actor can always make claiming impossible.

Note: token doesnt even have to be mailicous a paused token can do the same thing.

Impact

unusable protocol
Loss of compensation for claimant

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L133

Tool used

Manual Review

Recommendation

There should be a way to remove malicious tokens from atomic queue. This could even be an option that is limited to claimant. Where if a transaction fails they can see what token caused it and choose to remove it from the reward queue.

Duplicate of #62
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue labels Feb 21, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin