Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

HonorLt - Closed bounty is considered claimable #386

Closed
github-actions bot opened this issue Feb 21, 2023 · 3 comments
Closed

HonorLt - Closed bounty is considered claimable #386

github-actions bot opened this issue Feb 21, 2023 · 3 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

HonorLt

medium

Closed bounty is considered claimable

Summary

When the bounty type is not found, it is considered claimable if the status is closed.

Vulnerability Detail

When deciding if the bounty is claimable if the type is not among the known definitions, it returns true if the status is 1:

    function bountyIsClaimable(address _bountyAddress)
        public
        view
        returns (bool)
    {
        IBounty bounty = IBounty(payable(_bountyAddress));

        uint256 status = bounty.status();
        uint256 _bountyType = bounty.bountyType();

        if (
            _bountyType == OpenQDefinitions.ATOMIC ||
            _bountyType == OpenQDefinitions.ONGOING ||
            _bountyType == OpenQDefinitions.TIERED_PERCENTAGE ||
            _bountyType == OpenQDefinitions.TIERED_FIXED
        ) {
            return status == 0;
        } else {
            return status == 1;
        }
    }

1 means the bounty is closed, thus a bounty with an unknown type is considered claimable if it is closed. I believe this is a wrong assumption. Also, the name of the function is a bit misleading because it actually indicates if the bounty is open, while the reader might think it indicates if you can claim the rewards.

Impact

The claim manager will trick the outside readers and if a new bounty type is introduced in the future, this function will return an inverted result.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L355-L364

Tool used

Manual Review

Recommendation

It should throw an error (revert with UNKNOWN_BOUNTY TYPE) in the else block.
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue labels Feb 21, 2023
This was referenced Feb 22, 2023
Closed
Closed
Closed
Closed
Closed
Closed
@FlacoJones FlacoJones added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Feb 23, 2023
@FlacoJones
Copy link

Removed in OpenQDev/OpenQ-Contracts#112

@IAm0x52
Copy link
Collaborator

IAm0x52 commented Mar 6, 2023

Should be low. Behavior is unusual but doesn't pose any risk besides potentially phishing

@hrishibhat
Copy link
Contributor

Agree with Lead Watson comment, considering it a low issue

@sherlock-admin sherlock-admin added Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue labels Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hrishibhat @FlacoJones @sherlock-admin @IAm0x52