Some of the error messages specified in require() are not informative (e.g., "Vault: token id is not a withdraw", "insufficient"). In Depositors, the error message points to the Claimers instead of Depositors.
The messages were kept short for optimization reasons. They are enough for the purposes they serve, and should not appear under regular use of the contracts
Handle
palina
Vulnerability details
Impact
Some of the error messages specified in require() are not informative (e.g., "Vault: token id is not a withdraw", "insufficient"). In Depositors, the error message points to the
Claimers
instead ofDepositors
.Proof of Concept
https://github.com/code-423n4/2022-01-sandclock/blob/a90ad3824955327597be00bb0bd183a9c228a4fb/sandclock/contracts/vault/Depositors.sol#L30
https://github.com/code-423n4/2022-01-sandclock/blob/a90ad3824955327597be00bb0bd183a9c228a4fb/sandclock/contracts/strategy/BaseStrategy.sol#L165
https://github.com/code-423n4/2022-01-sandclock/blob/a90ad3824955327597be00bb0bd183a9c228a4fb/sandclock/contracts/strategy/BaseStrategy.sol#L166
Tools Used
Manual Analysis
Recommended Mitigation Steps
Make sure that error messages are informative and factual.