Open code423n4 opened 1 year ago
This is unsanctioned usage. The distributor is not supposed to be used in this way. You must transfer and create a distribution in the same transaction, or else you risk losing access to your transfer.
@merklejerk Do you consider this a high severity finding? Because using sponsor-ack is confirming the severity, which does not sound like the case here (requires direct misuse of the API)
Agree with the sponsor here - that requirement is noted in comments. The report aims to protect against user error which is Low risk.
Downgrading and converting this into a QA report for the warden.
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L98-L115 https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L118-L135
Vulnerability details
Impact
TokenDistributor.createNativeDistribution() and TokenDistributor.createErc20Distribution() allows anyone to create token distribution for eth or erc20 token. A user can monitor the erc20 token or eth balance of the token distributor balance and create a distribution for themselves whenever the tokens balance is greater than
_storedBalances
This can be quite profitable for users monitoring the contract and they gain funds for free at the expense of any user who sent funds direct to the contract.
Once the distribution has been created, the user can call claim() or claimFee() depending on the user input during the distribution creation and be transferred the funds balance difference.
Proof of Concept
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L190-L222
createNativeDistribution()
ensuring that they are the recipient andfeeBps
is 1e4Tools Used
Manual review
Recommended Mitigation Steps
Apply necessary access controls