Closed code423n4 closed 1 year ago
I believe this would be QA, you can send to address(0) or any other address that will not be able to claim
GalloDaSballo marked the issue as duplicate of #105
GalloDaSballo changed the severity to QA (Quality Assurance)
L
GalloDaSballo marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/DripsHub.sol#L510-L538 https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/DripsHub.sol#L576-L582
Vulnerability details
Impact
In dripsHub contract there is no revert mechanism if drips go to id's which has not been created yet.So user's token will be stuck in contract accidentialy without pay anyone if user enter DripsReceiver id large amount.(this may be happended when splitting.)
Proof of Concept
https://imgur.com/wmdq1av As can be seen in the photo driver drip to user id 25 (it can be seen in the emit DripsReceiverSeen in console) while user id point to address 0 (because there is no 25 register in contract) which is shown in console's console log parameter.
Tools Used
Recommended Mitigation Steps
Check new receiver list if there is a some id which exceed the current nextDriverId then revert.