Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

ck - Blacklisted user may prevent certain bounty claims #544

Closed
github-actions bot opened this issue Feb 22, 2023 · 4 comments
Closed

ck - Blacklisted user may prevent certain bounty claims #544

github-actions bot opened this issue Feb 22, 2023 · 4 comments
Labels
Escalation Resolved This issue's escalations have been approved/rejected Non-Reward This issue will not receive a payout

Comments

@github-actions
Copy link

github-actions bot commented Feb 22, 2023
edited by Evert0x
Loading

ck

high

Blacklisted user may prevent certain bounty claims

Summary

Blacklisted user may prevent certain bounty claims

Vulnerability Detail

If a user becomes blacklisted for the token being claimed e.g is added to the USDC blacklist and the USDC token is being claimed, they would prevent bounty claims from happening.

For example: In _claimTieredPercentageBounty there is a loop used in claiming:

        for (uint256 i = 0; i < _bounty.getTokenAddresses().length; i++) {
            uint256 volume = _bounty.claimTiered(
                _closer,
                _tier,
                _bounty.getTokenAddresses()[i]
            );

This would revert whenever a transfer is attempted to a blacklisted user.

Impact

Denial of service in certain claim functions.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L230-L235

Tool used

Manual Review

Recommendation

Skip blacklisted users in claim processes
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue labels Feb 22, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Mar 7, 2023
@iamckn
Copy link

iamckn commented Mar 9, 2023
edited
Loading

Escalate for 45 USDC

An issue about a blacklisted user should be unique and not grouped with malicious tokens. This is because the cause is different. Argument that it has the same effect as malicious ERC20s shouldn't be the only determinant of uniqueness.
In audits several unique issues can lead to the same effect but the root cause has to be a critical factor otherwise the developers would assume all duplicate issues are caused by the same bug and they may apply incorrect fixes. For instance the developers have suggested whitelisting tokens that will be used in the pool which wouldn't fix this issue.

Tokens such as USDC will most likely be included in the protocol and are therefore not malicious. A user who gets added to the USDC blacklist may not even be a malicious but they would still affect the protocol.

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 9, 2023
edited
Loading

Escalate for 45 USDC

An issue about a blacklisted user should be unique and not grouped with malicious tokens. This is because the cause is different. Argument that it has the same effect as malicious ERC20s shouldn't be the only determinant of uniqueness.
In audits several unique issues can lead to the same effect but the root cause has to be a critical factor otherwise the developers would assume all duplicate issues are caused by the same bug and they may apply incorrect fixes. For instance the developers have suggested whitelisting tokens that will be used in the pool which wouldn't fix this issue.

Tokens such as USDC will most likely be included in the protocol and are therefore not malicious. A user who gets added to the USDC blacklist may not even be a malicious but they would still affect the protocol.

You've created a valid escalation for 45 USDC!

To remove the escalation from consideration: Delete your comment.
To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin sherlock-admin added the Escalated This issue contains a pending escalation label Mar 9, 2023
@Evert0x Evert0x removed the High A valid High severity issue label Mar 16, 2023
@Evert0x
Copy link

Evert0x commented Mar 16, 2023

Escalation accepted.

An issue about a blacklisted user should be unique and not grouped with malicious token.

Correct. but this only blocks the one user that's blacklisted, it doesn't affect other users in the protocol. In the extremely unlikely case they got blacklisted they could just re-associate their ID with a different address to get the payout.

Closing issue as it's not a valid medium or high.

@sherlock-admin
Copy link
Contributor

Escalation accepted.

An issue about a blacklisted user should be unique and not grouped with malicious token.

Correct. but this only blocks the one user that's blacklisted, it doesn't affect other users in the protocol. In the extremely unlikely case they got blacklisted they could just re-associate their ID with a different address to get the payout.

Closing issue as it's not a valid medium or high.

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.

@sherlock-admin sherlock-admin added Escalation Resolved This issue's escalations have been approved/rejected Non-Reward This issue will not receive a payout and removed Escalated This issue contains a pending escalation Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Reward A payout will be made for this issue labels Mar 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Escalation Resolved This issue's escalations have been approved/rejected Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@iamckn @Evert0x @sherlock-admin