Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

carrot - Function closeCompetition() in TieredBountyPercentage contract can be bricked, stopping claims #84

Closed
github-actions bot opened this issue Feb 21, 2023 · 3 comments
Closed

carrot - Function closeCompetition() in TieredBountyPercentage contract can be bricked, stopping claims #84

github-actions bot opened this issue Feb 21, 2023 · 3 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

github-actions bot commented Feb 21, 2023
edited by hrishibhat
Loading

carrot

high

Function closeCompetition() in TieredBountyPercentage contract can be bricked, stopping claims

Summary

The function closeCompetition() in contract TieredBountyPercentage is called when a claim is made. This function however makes unsafe external calls which, if it reverts, can stop the funds from being claimed.

Vulnerability Detail

The function closecompetition is defined as shown
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredPercentageBountyV1.sol#L123-L136
This function is crucial for the claiming process, since if this function reverts, the claims do not go through.

This function calls getTokenBalance, which ends up calling the contract at _tokenAddress to check the balance
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L275-L286
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L291-L299

A user can deposit the contract with a malicious token contract, and make the balanceOf() call revert when the bounty contract tries to call it. This will stop the claims process and break the bounty.

Impact

Broken bounty contract where winners are unable to claim their prize tokens/Nfts

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredPercentageBountyV1.sol#L123-L136

Tool used

Manual Review

Recommendation

Make external calls such as balanceOf() inside a try-catch block, to prevent unintended reverts.

Duplicate of #62
@github-actions github-actions bot added the High A valid High severity issue label Feb 21, 2023
@FlacoJones
Copy link

Will fix by implementing an explicit token whitelist

@FlacoJones FlacoJones added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Feb 23, 2023
@FlacoJones
Copy link

OpenQDev/OpenQ-Contracts#112 and OpenQDev/OpenQ-Contracts#113

@IAm0x52
Copy link
Collaborator

IAm0x52 commented Mar 5, 2023

Dupe of #62. Same root cause of adding a malicious ERC20

@sherlock-admin sherlock-admin added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Reward A payout will be made for this issue labels Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hrishibhat @FlacoJones @sherlock-admin @IAm0x52