Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

usmannk - Issuers may circumvent the expiration timer by closing Ongoing Bounties #357

Closed
github-actions bot opened this issue Feb 21, 2023 · 3 comments
Closed

usmannk - Issuers may circumvent the expiration timer by closing Ongoing Bounties #357

github-actions bot opened this issue Feb 21, 2023 · 3 comments
Labels
Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

usmannk

high

Issuers may circumvent the expiration timer by closing Ongoing Bounties

Summary

The expiration timer exists to assure claimants of a minimum amount of time they have to complete a task while not having their bounty refunded to a depositor

However, issuers may set an Ongoing Bounty's status to CLOSED even while expiration timers are still running. Doing this after a task has been completed but before it is claimed results in a theft of bounty from the claimant.

Vulnerability Detail

The Ongoing bounty requires that its status is OPEN in order for it to be claimed. Additionally, the closeOngoing() function available to issuers does not respect expiration timers. A malicious issuer may specify large bounties so victims complete their offchain tasks and then set the bounty to CLOSED when the victim's claim transaction appears in the mempool.

The claim transaction will then revert and the victim will not be able to claim their funds.

Ongoing bounties revert during claiming if they are CLOSED.
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L456-L464

Issuers may set ongoing bounties to CLOSED at any time.

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/OpenQ/Implementations/OpenQV1.sol#L328-L351

Impact

Loss of funds to claimants in the amount of the entire claim.

Although this may be "only" classified as "theft of unclaimed yield", I believe it is high severity because claimants must do real off-chain work (like completing a Github Pull Request) before submitting a claim. They are, in effect, being robbed of the work done.

Code Snippet

Tool used

Manual Review

Recommendation

Only allow ongoing bounties to be closed if they have no running expiration timers.
@github-actions github-actions bot added the High A valid High severity issue label Feb 21, 2023
@FlacoJones FlacoJones added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Feb 23, 2023
@FlacoJones
Copy link

OpenQDev/OpenQ-Contracts#112

@IAm0x52
Copy link
Collaborator

IAm0x52 commented Mar 6, 2023

Should be low. Issuer is trusted party.

@hrishibhat
Copy link
Contributor

Agree with Lead Watson, considering this issue as low

@sherlock-admin sherlock-admin added Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout and removed High A valid High severity issue labels Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hrishibhat @FlacoJones @sherlock-admin @IAm0x52