c4-bot-4 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/Neuron.sol#L138-L145

Vulnerability details

Vulnerability Details

in Neuron.sol contract we have a setupAirdrop() function for setting up airdrop for NRN token and this function makes approve from treasuryAddress to recipients. then users can claim their airdrops by calling the claim() function. but the claim() doesn't decrease allowance after claiming tokens. for example, if users have 100 NRN airdrop, they can call claim() multiple times and drain the treasuryAddress address.

Impact

A malicious user can drain the treasuryAddress address by calling the claim() function multiple times.

Proof of Concept

function claim(uint256 amount) external {
        require(
            allowance(treasuryAddress, msg.sender) >= amount, 
            "ERC20: claim amount exceeds allowance"
        );
        transferFrom(treasuryAddress, msg.sender, amount);
        emit TokensClaimed(msg.sender, amount);
    }

Tools Used

VSCODE

Recommended Mitigation Steps

Consider this:

function claim(uint256 amount) external {
        require(
            allowance(treasuryAddress, msg.sender) >= amount, 
            "ERC20: claim amount exceeds allowance"
        );
        allowance(treasuryAddress, msg.sender) - amount
        transferFrom(treasuryAddress, msg.sender, amount);
        emit TokensClaimed(msg.sender, amount);
    }

Assessed type

ERC20

c4-pre-sort commented 8 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 8 months ago

raymondfam marked the issue as duplicate of #1472

raymondfam commented 8 months ago

Allowance will be deducted or set to 0 by the parental OZ contract.

c4-judge commented 8 months ago

HickupHH3 marked the issue as unsatisfactory: Insufficient proof

code-423n4 / 2024-02-ai-arena-findings

Attacker can drain NRN tokens from treasuryAddress. #1710