GalloDaSballo
commented
1 year ago I believe this would be QA, you can send to address(0) or any other address that will not be able to claim
Closed code423n4 closed 1 year ago
GalloDaSballo
commented
1 year ago I believe this would be QA, you can send to address(0) or any other address that will not be able to claim
c4-judge
commented
1 year ago GalloDaSballo marked the issue as duplicate of #105
c4-judge
commented
1 year ago GalloDaSballo changed the severity to QA (Quality Assurance)
GalloDaSballo
commented
1 year ago L
c4-judge
commented
1 year ago GalloDaSballo marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/DripsHub.sol#L510-L538 https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/DripsHub.sol#L576-L582
Vulnerability details
Impact
In dripsHub contract there is no revert mechanism if drips go to id's which has not been created yet.So user's token will be stuck in contract accidentialy without pay anyone if user enter DripsReceiver id large amount.(this may be happended when splitting.)
Proof of Concept
https://imgur.com/wmdq1av As can be seen in the photo driver drip to user id 25 (it can be seen in the emit DripsReceiverSeen in console) while user id point to address 0 (because there is no 25 register in contract) which is shown in console's console log parameter.
Tools Used
Recommended Mitigation Steps
Check new receiver list if there is a some id which exceed the current nextDriverId then revert.