Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Jeiwan - Non-whitelisted tokens cannot be added if the limit of token addresses is filled with whitelisted ones #530

Open
github-actions bot opened this issue Feb 22, 2023 · 3 comments
Open

Jeiwan - Non-whitelisted tokens cannot be added if the limit of token addresses is filled with whitelisted ones #530

github-actions bot opened this issue Feb 22, 2023 · 3 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

Jeiwan

medium

Non-whitelisted tokens cannot be added if the limit of token addresses is filled with whitelisted ones

Summary

Non-whitelisted tokens cannot be deposited to a bounty contract if too many whitelisted contracts were deposited.

Vulnerability Detail

The DepositManagerV1.fundBountyToken function allows depositing both whitelisted and non-whitelisted tokens by implementing the following check:

  1. if a token is whitelisted, it can be deposited without restrictions;
  2. if a token is not whitelisted, it cannot be deposited if openQTokenWhitelist.TOKEN_ADDRESS_LIMIT tokens have already been deposited.

However, while the token addresses limit requirement is only applied to non-whitelisted tokens, whitelisted tokens also increase the counter of token addresses: both non-whitelisted and whitelisted token addresses are added to the tokenAddresses set.

Impact

Bounty minters may not be able to deposit non-whitelisted tokens after they have deposited multiple whitelisted ones.

Code Snippet

DepositManagerV1.sol#L45-L50
BountyCore.sol#L326-L328
BountyCore.sol#L55

Tool used

Manual Review

Recommendation

Consider excluding whitelisted token addresses when checking the number of deposited tokens against the limit.
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue labels Feb 22, 2023
This was referenced Feb 22, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@FlacoJones FlacoJones added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Feb 22, 2023
@FlacoJones
Copy link

We are going to remove the ability to fund with an arbitrary ERC20 - removing the TOKEN_ADDRESS_LIMIT and simply reverting if a token, erc721 or erc20, is not whitelisted



This will effectively cap the number of ERC20 or ERC721 tokens to the total number of whitelisted tokens (which the protocol controls)

@FlacoJones
Copy link

OpenQDev/OpenQ-Contracts#113

@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Mar 7, 2023
@jacksanford1
Copy link

Lead Senior Watson comment on PR #113:

Changes look good.

Token requirement has been simplified to just a whitelist. It makes the rest changes to support this revision. tokenAddressLimitReach method has been removed from DepositManagerV1. _tokenAddressLimit has been removed from TokenWhitelist constructor. TOKEN_ADDRESS_LIMIT has been removed along with it's setter. Tests have been updated to accommodate changes.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jacksanford1 @FlacoJones @sherlock-admin