This repository has been archived by the owner on May 26, 2023. It is now read-only.
ast3ros - [M-02] receivingFunds is subjected to DDOS attacks #432
Comments
github-actions
bot
added
Duplicate
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
ast3ros
medium
[M-02] receivingFunds is subjected to DDOS attacks
Summary
When receiving funds, the
receivingFundsfunction allow maximum of not-yet-whitelist tokens to be deposited into the bounty.https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L45-L50
A malicious account could deposit any ERC20 tokens they want into bounty with the amount of 1 wei. If they deposit number of tokens equal
TOKEN_ADDRESS_LIMIT, the bounty will not accept any valid tokens from the issuer.Vulnerability Details
The
receivingFundsfunction accept any ERC20 tokens and record it totokenAddressesset.https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L45-L50
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L55
The length of the
tokenAddressesset can be manipulated by any external account.Impact
TOKEN_ADDRESS_LIMIT.tokenAddressesset is higher.Code Snippet
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L45-L50
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L55
Tool used
Manual
Recommendation
Allow issuers to whitelist token address for their own bounty. The bounty only receives funds using whitelist tokens
Duplicate of #530
The text was updated successfully, but these errors were encountered: