Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

ck - _claimTieredFixedBounty claims only one token while supporting multiple NFTs #508

Closed
github-actions bot opened this issue Feb 22, 2023 · 4 comments
Closed

ck - _claimTieredFixedBounty claims only one token while supporting multiple NFTs #508

github-actions bot opened this issue Feb 22, 2023 · 4 comments
Labels
Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

ck

medium

_claimTieredFixedBounty claims only one token while supporting multiple NFTs

Summary

_claimTieredFixedBounty claims only one token but supports multiple NFTs

Vulnerability Detail

_claimTieredFixedBounty allows only the claim of one token while maintaining the capability to claim multiple NFTs:

If the intention is to only allow one payout token, then the funding of the bounty should be restricted to that one token.

In addition the support of claiming multiple NFTs conflicts with the setting of a payoutSchedule that supports one _payoutTokenAddress.

    /// @notice Sets the payout schedule
    /// @param _payoutSchedule An array of payout volumes for each tier
    /// @param _payoutTokenAddress The address of the token to be used for the payout
    function setPayoutScheduleFixed(
        uint256[] calldata _payoutSchedule,
        address _payoutTokenAddress
    ) external onlyOpenQ {
        require(
            bountyType == OpenQDefinitions.TIERED_FIXED,
            Errors.NOT_A_FIXED_TIERED_BOUNTY
        );
        payoutSchedule = _payoutSchedule;
        payoutTokenAddress = _payoutTokenAddress;

Impact

Temporary locking of funds.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredFixedBountyV1.sol#L138-L147

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L278-L341

Tool used

Manual Review

Recommendation

Either allow the claiming of multiple tokens and NFTs or disable support for them for Tiered Fixed Bounties.
@github-actions github-actions bot added the Medium A valid Medium severity issue label Feb 22, 2023
@FlacoJones
Copy link

Valid. We will likely disable them for TieredFixed for now

@FlacoJones FlacoJones added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Feb 22, 2023
@IAm0x52
Copy link
Collaborator

IAm0x52 commented Feb 25, 2023
edited
Loading

Invalid. This is literally just a design decision. Why do they have to be the same number of tokens?

@FlacoJones
Copy link

OpenQDev/OpenQ-Contracts#114

@hrishibhat
Copy link
Contributor

Agree with Lead watson's comment.

@sherlock-admin sherlock-admin added Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue labels Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Low/Info A valid Low/Informational severity issue Non-Reward This issue will not receive a payout Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hrishibhat @FlacoJones @sherlock-admin @IAm0x52