Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

imare - possible grief attack on bounty refund deposit call #550

Closed
github-actions bot opened this issue Feb 22, 2023 · 0 comments
Closed

imare - possible grief attack on bounty refund deposit call #550

github-actions bot opened this issue Feb 22, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@github-actions
Copy link

github-actions bot commented Feb 22, 2023
edited
Loading

imare

medium

possible grief attack on bounty refund deposit call

Summary

Any depositor/funder has the ability to be refunded after the bounty expiries by calling DepositorManagerV1#refundDeposit method.

An malicious user can block this call by supplying enough deposits to block the calculation of Bounty#getLockedFunds that is called internally by refundDeposit.

Vulnerability Detail

A malicious user can create many legit deposit supplying small amount (example of 1 WEI) of legit ERC20 token.
Or if the bounty has not reached TOKEN_ADDRESS_LIMIT he can use a fake (no value) ERC20 token to supply many valueless deposits trough the call of

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L36

When is time for a user getting a refund the following for loop is used

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L340-L348

Which fetches all deposits ever made to the bounty

bytes32[] memory depList = this.getDeposits();

and checks every deposit made that is the one made with the right token address for the user supplied deposit id.

                tokenAddress[depList[i]] == _depositId

Note: _depositId is the ERC20 tokenAddress that the deposit was made for

If there are many deposits it can be too expensive for the loop and use all supplied gas and revert.

Impact

Malicious user can block (or make it more expensive) the protocol functionality of refunding users so the ERC20 tokens are blocked inside the bounty contract.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L340-L348

Tool used

Manual Review

Recommendation

A simple solution would be when depositing funds with ERC20 require a minimum deposit amount. In this case a better approach would be to let the bounty owner specify what is a minimum amount per ERC20 token.

Duplicate of #77
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue labels Feb 22, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin