csanuragjain - DOS bounty funding

[github-actions]

csanuragjain

medium

DOS bounty funding

Summary

Each bounty is only allowed to have openQTokenWhitelist.TOKEN_ADDRESS_LIMIT() number of tokens. Attacker can frontrun the bounty owner funding request in a way which DOS bounty owner funding request

Vulnerability Detail

1. A bounty was created at address A
2. Lets say for simplicity openQTokenWhitelist.TOKEN_ADDRESS_LIMIT() is set to 1
3. Ideally only one token should be allowed for funding
4. Bounty owner tries funding token X
5. Attacker immediately frontrun this request and instead fund a malicious token X. Since TOKEN_ADDRESS_LIMIT is not reached funding is accepted

if (!isWhitelisted(_tokenAddress)) {
            require(
                !tokenAddressLimitReached(_bountyAddress),
                Errors.TOO_MANY_TOKEN_ADDRESSES
            );
        }

7. Bounty owner funding from Step 4 is reverted since limit is already reached
8. Bounty owner can have the limit increased but Attacker can again frontrun, making sure that bounty owner is never fund the bounty

Impact

Attacker can DOS bounty owner from funding

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L45-L50

Tool used

Manual Review

Recommendation

Funding should only be allowed for Whitelisted token. If user is trying to fund non whitelisted token then owner should first whitelist that token

Duplicate of #530