This repository has been archived by the owner on May 26, 2023. It is now read-only.
cergyk - Attacker can block funding for OngoingBounty if paymentTokenAddress is non-whitelisted #143
Comments
github-actions
bot
added
Duplicate
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
cergyk
medium
Attacker can block funding for OngoingBounty if paymentTokenAddress is non-whitelisted
Summary
In an OngoingBountyV1 type, the bounty issuer decides the payment token, and the bounty winner has only access to the payment in
payoutTokenAddress. However a malicious user can block funding forpayoutTokenAddressif it is not whitelisted inTokenWhitelistby funding with dust in multiple other non whitelisted tokens to reachopenQTokenWhitelist.TOKEN_ADDRESS_LIMIT().Vulnerability Detail
Impact
Funding in not-whitelisted payoutTokenAddress is blocked rendering the bounty Useless. A new bounty has to be created.
Code Snippet
Tool used
Manual Review
Recommendation
Add the
payoutTokenAddressto the list oftokenAddressesin BountyCore, on creation of anOngoingBountythe adding can be done in the initialization of the bounty:
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/OngoingBountyV1.sol#L89
Duplicate of #530
The text was updated successfully, but these errors were encountered: