This repository has been archived by the owner on May 26, 2023. It is now read-only.
Ruhum - Attacker can DOS bounty by funding it with worthless ERC20 tokens #75
Comments
github-actions
bot
added
Duplicate
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Ruhum
medium
Attacker can DOS bounty by funding it with worthless ERC20 tokens
Summary
Bounties can only be funded with a set number of non-whitelisted ERC20 tokens. By adding worthless ERC20 tokens an attacker can stop the bounty issuer from adding their own deposit.
Vulnerability Detail
In
DepositManagerV1.fundBountyToken()the contract limits the number of non-whitelisted ERC20 token deposits. By adding worthless ERC20 tokens an attacker can stop the bounty issuer from adding their own deposit. This will only work for bounties funded with non-whitelisted ERC20 tokens, e.g. the project's own token.Impact
Bounty issuer won't be able to fund their bounty.
Code Snippet
DepositManagerV1.fundBountyToken()function fundBountyToken( address _bountyAddress, address _tokenAddress, uint256 _volume, uint256 _expiration, string memory funderUuid ) external payable onlyProxy { IBounty bounty = IBounty(payable(_bountyAddress)); if (!isWhitelisted(_tokenAddress)) { require( !tokenAddressLimitReached(_bountyAddress), Errors.TOO_MANY_TOKEN_ADDRESSES ); } // ...Tool used
Manual Review
Recommendation
Using a bounty-specific whitelist would allow the issuer to specify the tokens they accept.
Duplicate of #530
The text was updated successfully, but these errors were encountered: