Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

HonorLt - Malicious token can block tiered percentage bounty close #436

Closed
github-actions bot opened this issue Feb 21, 2023 · 0 comments
Closed

HonorLt - Malicious token can block tiered percentage bounty close #436

github-actions bot opened this issue Feb 21, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@github-actions
Copy link

github-actions bot commented Feb 21, 2023
edited
Loading

HonorLt

high

Malicious token can block tiered percentage bounty close

Summary

It might be impossible to close the tiered percentage bounty if any token balance calculation fails.

Vulnerability Detail

When closing the tiered percentage bounty competition it iterates over all the tokens and gets their respective balances:

    function closeCompetition() external onlyClaimManager {
        require(
            status == OpenQDefinitions.OPEN,
            Errors.CONTRACT_ALREADY_CLOSED
        );

        status = OpenQDefinitions.CLOSED;
        bountyClosedTime = block.timestamp;

        for (uint256 i = 0; i < getTokenAddresses().length; i++) {
            address _tokenAddress = getTokenAddresses()[i];
            fundingTotals[_tokenAddress] = getTokenBalance(_tokenAddress);
        }
    }

The problem is that token.balanceOf might revert if a malicious token was inserted among other funds. This is highly possible because any token can be used unless the limit is reached:

    function fundBountyToken(
        address _bountyAddress,
        address _tokenAddress,
        uint256 _volume,
        uint256 _expiration,
        string memory funderUuid
    ) external payable onlyProxy {
        IBounty bounty = IBounty(payable(_bountyAddress));

        if (!isWhitelisted(_tokenAddress)) {
            require(
                !tokenAddressLimitReached(_bountyAddress),
                Errors.TOO_MANY_TOKEN_ADDRESSES
            );
        }

Impact

If a malicious token that reverts on a certain balanceOf call, is inserted in the tiered percentage bounty funds, it will be impossible to close this bounty.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredPercentageBountyV1.sol#L132-L135

Tool used

Manual Review

Recommendation

There are many possibilities. For example, you can try/catch and set the balance to 0 if it reverts, or get the balance only when claiming and allow specifying which tokens to claim.

Duplicate of #62
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue labels Feb 21, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin