This repository has been archived by the owner on May 26, 2023. It is now read-only.
carrot - Refunds can be bricked by triggering OOG (out of gas) in DepositManager #77
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
Has Duplicates
This was referenced Feb 22, 2023
Closed
This was referenced Feb 22, 2023
Closed
|
Confirmed. Will fix by requiring funder == issuer and implementing a simple deposit volume greater than/less than token balance after claims |
FlacoJones
added
Sponsor Confirmed
This was referenced Mar 16, 2023
|
Lead Senior Watson comment on PR #116:
Lead Senior Watson comment on PR #117:
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
carrot
high
Refunds can be bricked by triggering OOG (out of gas) in DepositManager
Summary
The
DepositManagercontract is in charge of refunding tokens from the individual bounties. This function ends up running a for loop over an unbounded array. This array can be made to be sufficiently large to exceed the block gas limit and cause out-of-gas errors and stop the processing of any refunds.Vulnerability Detail
The function
refundDeposit()inDepositManager.solis responsible for handling refunds, through the following snippet of code,https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L152-L181
We are here interested in the line
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L171-L172
which calculates available funds. If we check the function
getLockedFunds(), we see it run a for loophttps://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L333-L352
This loop is running over the list of ALL deposits. The deposit list is unbounded, since there are no checks for such limits in the
receiveFunds()function. This can result in a very long list, causing out-of-gas errors when making refund calls.Impact
Inability to withdraw funds. Can be forever locked into the contract.
Code Snippet
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L333-L352
Tool used
Manual Review
Recommendation
Put a bound on the function
receiveFundsto limit the number of deposits allowed.The text was updated successfully, but these errors were encountered: