Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

seyni - Funders can deny rewards to last claimants by calling refundDeposit between tiers claims #64

Closed
github-actions bot opened this issue Feb 21, 2023 · 3 comments
Closed

seyni - Funders can deny rewards to last claimants by calling refundDeposit between tiers claims #64

github-actions bot opened this issue Feb 21, 2023 · 3 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

github-actions bot commented Feb 21, 2023
edited by hrishibhat
Loading

seyni

high

Funders can deny rewards to last claimants by calling refundDeposit between tiers claims

Summary

refundDeposit can be called between tiers claims which will result in last claimants not receiving their rewards.

Vulnerability Detail

Let's say several funders contributed to a TieredPercentageBountyV1 bounty 1000 USDC and with payoutSchedule == [50,30,20]. When claimants have validated their obligation, they will be able to call permissionedClaimTieredBounty. Consider the following scenario:

  • The 2nd and 3rd place claimant first call permissionedClaimTieredBounty and together claim 50% of the available USDC or 500 USDC.
  • A funder call refund and gets 200 USDC back (assuming all USDC are unlocked).
  • 300 USDC are left and the 1st place claimant call permissionedClaimTieredBounty which will revert because in TieredPercentageBountyV1, claimTiered will call _transferToken with 500 USDC as claimedBalance.

There is several scenarios which will all eventually lead for (at least) the last claimant to not receive his rewards.

Impact

Funders can grief the last claimants by calling refundDeposit between tiers claims. Winners of a competition will not get their rewards.

Code Snippet

TieredPercentageBountyV1.sol#L104-L120

    function claimTiered(
        address _payoutAddress,
        uint256 _tier,
        address _tokenAddress
    ) external onlyClaimManager nonReentrant returns (uint256) {
        require(
            bountyType == OpenQDefinitions.TIERED_PERCENTAGE,
            Errors.NOT_A_TIERED_BOUNTY
        );
        require(!tierClaimed[_tier], Errors.TIER_ALREADY_CLAIMED);


        uint256 claimedBalance = (payoutSchedule[_tier] *
            fundingTotals[_tokenAddress]) / 100;


        _transferToken(_tokenAddress, claimedBalance, _payoutAddress);
        return claimedBalance;
    }

Tool used

Manual Review

Recommendation

The origin of this issue is that the refundDeposit function can be called by funder after the end of a competition. Therefore, I recommend to stop refunds after the closing of a competition by using require(status == OpenQDefinitions.OPEN, Errors.CONTRACT_IS_CLOSED); in BountyCore.refundDeposit.
With this added, if nobody claims the rewards the funds would be locked in the contract. Thus, I additionally recommend adding a permissioned function for the bounty issuer to retrieve funds if necessary when the bounty is closed.

Duplicate of #266
@github-actions github-actions bot added the High A valid High severity issue label Feb 21, 2023
@FlacoJones FlacoJones added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Feb 23, 2023
@FlacoJones
Copy link

Will fix by removing Ongoing bounty for now

@FlacoJones
Copy link

OpenQDev/OpenQ-Contracts#112

@IAm0x52
Copy link
Collaborator

IAm0x52 commented Mar 5, 2023

Dupe of #266

@sherlock-admin sherlock-admin added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Reward A payout will be made for this issue and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hrishibhat @FlacoJones @sherlock-admin @IAm0x52