kiki_dev - Token Address Limit can be reached by sending dust amounts of junk tokens.

[github-actions]

kiki_dev

medium

Token Address Limit can be reached by sending dust amounts of junk tokens.

Summary

Bad actor can prevent an issuer from funding a bounty with their desired token. Making the bounty unusable and protocol unusable.

Vulnerability Detail

After a bounty is minted anyone can contribute fuds to the bounty. When they do they need to go though the fundBountyToken(). There are two checks that occur in the begining of this process. The first checks if the _tokenAdress is not whitelisted. If true the following check is a requrie statement, requiring that tokenAddressLimitReached(_bountyAddress) is false.

This allows a bad actor to deposit x amount of junk tokens to the bounty thus reaching the limit and preventing the actual issuer from depositing their desired token.

Here is a scenario:

For simplicity sake lets say the token limit is 5.

Alice mints a bounty
Bob sees this transaction goes though and deposits 5 junk tokens with more or less zero value.
Alice tries to deposit her protocols Token $GODS as the bounty reward.
$GODS is not whitelisted so depositManager checks if the token limit has been reached. Which due to bobs intererance it has.
Alice can no longer fund her bounty with the desired token.
Alice attempts to create a new bounty
Bob does the same thing which prevents Alice from making a deposit again.
Alice determines that this protocol is unusable because she cant deposit her protocols token.

Impact

DOS will make the protocol unusable for some users that want to post bounties.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L45-L48

Tool used

Manual Review

Recommendation

Either have their be a minimum deposit to make this attack to costly. Or allow issuer to always deposit at least 1 token.

Duplicate of #530