rvierdiiev - ClaimManagerV1 will not be able to claim for user if he is blocked by any reward token

[github-actions]

rvierdiiev

medium

ClaimManagerV1 will not be able to claim for user if he is blocked by any reward token

Summary

ClaimManagerV1 will not be able to claim for user if he is blocked by any reward token.

Vulnerability Detail

ClaimManagerV1 ._claimAtomicBounty function is responsible for claiming tokens for user.
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L123-L166

    function _claimAtomicBounty(
        IAtomicBounty _bounty,
        address _closer,
        bytes calldata _closerData
    ) internal {
        _eligibleToClaimAtomicBounty(_bounty, _closer);


        for (uint256 i = 0; i < _bounty.getTokenAddresses().length; i++) {
            uint256 volume = _bounty.claimBalance(
                _closer,
                _bounty.getTokenAddresses()[i]
            );


            emit TokenBalanceClaimed(
                _bounty.bountyId(),
                address(_bounty),
                _bounty.organization(),
                _closer,
                block.timestamp,
                _bounty.getTokenAddresses()[i],
                volume,
                _bounty.bountyType(),
                _closerData,
                VERSION_1
            );
        }


        for (uint256 i = 0; i < _bounty.getNftDeposits().length; i++) {
            _bounty.claimNft(_closer, _bounty.nftDeposits(i));


            emit NFTClaimed(
                _bounty.bountyId(),
                address(_bounty),
                _bounty.organization(),
                _closer,
                block.timestamp,
                _bounty.tokenAddress(_bounty.nftDeposits(i)),
                _bounty.tokenId(_bounty.nftDeposits(i)),
                _bounty.bountyType(),
                _closerData,
                VERSION_1
            );
        }
    }

It iterates over all tokens that were deposited and then calls _bounty.claimBalance, which will transfer all balance to recipient.

The problem that in case if any of that calls will revert, then all claim will reward and user will receive nothing.
The transfer can revert with different reasons. It can be paused, or user address can be blocked inside token.

Example:
1.User who is blocked by usdt token is working on project. Payment tokens doesn't include USDT.
2.Someone malicious deposits small amount of USDT token to the contract, so USDT is added to the tokenAddresses list.
3.When oracle claims for user, tx reverts because of usdc.

Impact

User can't receive payment.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/AtomicBountyV1.sol#L89-L98
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L123-L166

Tool used

Manual Review

Recommendation

Think about ability to pull tokens one by one for user.

Duplicate of #62