topocount
commented
1 day ago All confirmed affected incentive impls:
- CGDAIncentive
- ERC1155Incentive
- ERC20Incentive
- ERC20VariableIncentive
Open Quazia opened 1 week ago
topocount
commented
1 day ago All confirmed affected incentive impls:
Is there an existing issue for this?
Package Version
0.0.0-alpha.12
Current Behavior
Summary BoostCore.sol will always be set as the owner of Boost provided incentive contracts because the initializer is called here within _makeIncentives. Therefore any function using the onlyOwner modifier within the incentive contracts must be called by BoostCore. For example, there is no way to call drawRaffle or clawback from the BoostCore contract.
Expected Behavior
No response
Steps To Reproduce
Root Cause createBoost is called to create a new boost. Each incentive is initialized by the call to _makeIncentives. Within _makeIncentives the initializer is called for each incentive. The initializer function within each incentive contract sets the owner as msg.sender which would be the BoostCore contract.
Internal pre-conditions Boost is created using the out of the box incentive contract as one of the incentives including: ERC20Incentive, CGDAIncentive, ERC20VariableIncentive, and ERC1155Incentive External pre-conditions No response
Attack Path User calls createBoost to create a new Boost They choose to use an out of the box incentive contract listed above They are initialized with BoostCore as the owner Impact No winner can be drawn for raffle contests through ERC20Incentive contract Any funds in the contract that need to be rescued cannot be retrieved through clawback PoC
Link to Minimal Reproducible Example (StackBlitz, CodeSandbox, GitHub repo etc.)
https://github.com/sherlock-audit/2024-06-boost-aa-wallet-judging/issues/43
Anything else?
No response