0xdeadbeef - Attacker can prevent funders from funding none-whitelisted ERC20 tokens

[github-actions]

0xdeadbeef

medium

Attacker can prevent funders from funding none-whitelisted ERC20 tokens

Summary

fundBountyToken which is used to deposit ERC20 tokens to a bounty restricts funding of none-whitelisted ERC20 tokens to the amount specified in openQTokenWhitelist (currently 5).

An attacker can deposit 5 none-whitelisted arbitrary tokens before the real funder does. This will prevent the funder from being able to fund the none-whitelisted ERC20 token.

Vulnerability Detail

fundBountyToken has the following require to check if a token that is not whitelisted can be deposited.
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L45-L50

It checks if TOKEN_ADDRESS_LIMIT tokens have already been deposited:
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L207-L217

An attacker can deposit TOKEN_ADDRESS_LIMIT times arbitrary tokens to make this require revert.
The tokens can be either attacker created (free supply) or very small amount of existing ERC20 tokens.

Impact

Funders will be prevented from depositing none-whitelisted ERC20 tokens.

Code Snippet

In the description

Tool used

Manual Review

Recommendation

Even though there is a need for bounties to be crowdfundable, some restrictions can be applied:
Examples:

1. Funders would need to stake MATIC that would only get released after a few day, issuer can slash the MATIC if he sees that the funder is malicious - This will make it less incentivized for attackers to perform the attack.
2. Allow the issuer to remove funds/tokens from the bounty.

This assumes there is full trust between issuers and funders, as is true in this project anyway.

Duplicate of #530