yixxas - Claimant cannot claim any of the assets they should receive if any of these assets is blacklisted

[github-actions]

yixxas

high

Claimant cannot claim any of the assets they should receive if any of these assets is blacklisted

Summary

Because in both _claimAtomic() and _claimTierPercentageBounty(), all assets are transferred to users atomically, i.e. either all transfers are successful, or all fails, if user happens to have an asset such that their address is on the blacklist, it will prevent them from being able to claim any of the other ERC20 tokens, as well as NFTs.

Vulnerability Detail

In both _claimAtomic() and _claimTierPercentageBounty(), ERC20 token addresses of the bounty are looped through and transferred to claimant one by one. This is a push method of paying rewards. However, some ERC20 tokens such as USDT has a blacklist function. If a user is blacklisted, the transfer to their address will revert, and this would prevent them from being ever able to claim any other assets.

Impact

User cannot claim any of their asset if even one of the assets have them blacklisted.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L123-L166
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L123-L166

Tool used

Manual Review

Recommendation

Consider using a pull method of claiming tokens instead. Otherwise, we can use a try clause to continue transferring tokens even if one fails.

[yixxas]

Escalate for 21 USDC

This issue is not a dupe of #62 . Issue #62 is about an adversary funding the contract with a malicious token such that ALL other users cannot claim as a result.

In this issue, it affects only the claimant, where if there is a token (introduced via normal use of the protocol) amongst all funded tokens that has a blacklist function (USDT, USDC), and blacklists the claimant, then this claimant will not be able to claim any of the other tokens. Other users are not affected.

There is no involvement of a malicious attacker here. User is being unfairly punished as not only are they not able to claim the token in which they are blacklisted, they are also unable to claim all other tokens.

Similar issues #392 and #183 are also wrongly duped to #62 and should be resolved together with this.

[sherlock-admin]

Escalate for 21 USDC

This issue is not a dupe of #62 . Issue #62 is about an adversary funding the contract with a malicious token such that ALL other users cannot claim as a result.

In this issue, it affects only the claimant, where if there is a token (introduced via normal use of the protocol) amongst all funded tokens that has a blacklist function (USDT, USDC), and blacklists the claimant, then this claimant will not be able to claim any of the other tokens. Other users are not affected.

There is no involvement of a malicious attacker here. User is being unfairly punished as not only are they not able to claim the token in which they are blacklisted, they are also unable to claim all other tokens.

Similar issues #392 and #183 are also wrongly duped to #62 and should be resolved together with this.

You've created a valid escalation for 21 USDC!

To remove the escalation from consideration: Delete your comment.
To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[hrishibhat]

Escalation accepted

Not a valid duplicate of #62
Also users getting blacklisted by a token and not receiving funds is not a valid high/medium

[sherlock-admin]

Escalation accepted

Not a valid duplicate of #62
Also users getting blacklisted by a token and not receiving funds is a not a valid high/medium

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.