search

code-423n4 / 2022-02-concur-findings

2 stars 0 forks source link

Shelter `claimed` mapping is set with `_to` address and not `msg.sender` #103

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/Shelter.sol#L55

Vulnerability details

Impact

Any user can withdraw all the funds from the shelter. This is done by calling withdraw repeatedly until all funds are drained. You only need to have a small share.

Even if the claimed mapping was checked, there would still be a vulnerability. This is because the claimed mapping is updated with the _to address, not the msg.sender address.

Remediation is to change the _to to msg.sender. https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/Shelter.sol#L55

r2moon commented 2 years ago

https://github.com/code-423n4/2022-02-concur-findings/issues/246

GalloDaSballo commented 2 years ago

Am marking this as a unique finding as this one shows another issue with the Shelter withdraw function

Because this also allows for draining of all rewards, am raising to High Severity

liveactionllama commented 2 years ago

Per discussion with @leekt - adding sponsor confirmed label.