Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

XKET - An attacker can prevent claimers from claiming #540

Closed
github-actions bot opened this issue Feb 22, 2023 · 3 comments
Closed

XKET - An attacker can prevent claimers from claiming #540

github-actions bot opened this issue Feb 22, 2023 · 3 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@github-actions
Copy link

github-actions bot commented Feb 22, 2023
edited by hrishibhat
Loading

XKET

high

An attacker can prevent claimers from claiming

Summary

Vulnerability Detail

In DepositManagerV1, fundBountyNFT and fundBountyToken shares the same whitelist. (DepositManagerV1.sol#L36-L50)

    function fundBountyToken(
        address _bountyAddress,
        address _tokenAddress,
        uint256 _volume,
        uint256 _expiration,
        string memory funderUuid
    ) external payable onlyProxy {
        IBounty bounty = IBounty(payable(_bountyAddress));

        if (!isWhitelisted(_tokenAddress)) {
            require(
                !tokenAddressLimitReached(_bountyAddress),
                Errors.TOO_MANY_TOKEN_ADDRESSES
            );
        }

(DepositManagerV1.sol#L113-L122)

    function fundBountyNFT(
        address _bountyAddress,
        address _tokenAddress,
        uint256 _tokenId,
        uint256 _expiration,
        bytes calldata _data
    ) external onlyProxy {
        IBounty bounty = IBounty(payable(_bountyAddress));

        require(isWhitelisted(_tokenAddress), Errors.TOKEN_NOT_ACCEPTED);

So an attacker can call DepositManagerV1.fundBountyNFT using a whitelisted ERC20 token.
isWhitelisted will pass in fundBountyNFTand and BountyCore._receiveNft will call ERC20.safeTransferFrom.
The function signature of ERC20.safeTransferFrom is the same as ERC721.safeTransferFrom. So the deposit will be successful if nftDepositLimit doesn't meet. But when claimers wants to claim the ERC20 deposit as an NFT, ERC20.safeTransferFrom will be called instead of ERC20.safeTransfer. (BountyCore.sol#L257-L264)

    function _transferNft(
        address _tokenAddress,
        address _payoutAddress,
        uint256 _tokenId
    ) internal virtual {
        IERC721Upgradeable nft = IERC721Upgradeable(_tokenAddress);
        nft.safeTransferFrom(address(this), _payoutAddress, _tokenId);
    }

ERC20.safeTransferFrom(address(this), _payoutAddress, _tokenId) will revert because any of bounty contracts doesn't approve from itself to itself.
When claimers can't claim the NFT, the whole claim process will fail for atomic and tiered bounties.

Impact

Claimers can't claim for atomic and tiered bounties.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L36-L50
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L113-L122
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L257-L264

Tool used

Manual Review

Recommendation

Use different whitelist for ERC20 and NFTs.

Duplicate of #352
@github-actions github-actions bot added the High A valid High severity issue label Feb 22, 2023
@FlacoJones
Copy link

Valid. Will Fix.

@FlacoJones FlacoJones added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Feb 22, 2023
@IAm0x52
Copy link
Collaborator

IAm0x52 commented Feb 25, 2023

Dupe of #352

@FlacoJones
Copy link

OpenQDev/OpenQ-Contracts#113

@sherlock-admin sherlock-admin added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Reward A payout will be made for this issue labels Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hrishibhat @FlacoJones @sherlock-admin @IAm0x52