search

code-423n4 / 2022-02-concur-findings

2 stars 0 forks source link

claimed of _to set to true #252

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-concur/blob/main/contracts/Shelter.sol#L54-L55

Vulnerability details

Impact

Function withdraw in Shelter calculates the amount based on shares of msg.sender, but sets the claimed flag of _to:

  uint256 amount = savedTokens[_token] * client.shareOf(_token, msg.sender) / client.totalShare(_token);
  claimed[_token][_to] = true;

This means a malicious user can invoke withdrawal with an arbitrary _to and block this address from claiming the tokens later (assuming claimed flag will be implemented to check against repeated withdrawals). This way, msg.sender is unaffected and can withdraw their tokens repeatedly.

Recommended Mitigation Steps

It should set the claimed[_token][msg.sender] to true and probably check that _to is not an empty address (0x0) to prevent accidental loss of tokens.

r2moon commented 2 years ago

https://github.com/code-423n4/2022-02-concur-findings/issues/246

GalloDaSballo commented 2 years ago

Dup of #103