bahurum
commented
1 year ago They are not supposed to transfer bonds back to the disputers. They just store the amounts that can be claimed later by disputers calling reclaimBond()
Open hats-bug-reporter[bot] opened 1 year ago
bahurum
commented
1 year ago They are not supposed to transfer bonds back to the disputers. They just store the amounts that can be claimed later by disputers calling reclaimBond()
Github username: @ololade97 Submission hash (on-chain): 0xb52cf013abf721bc713f93a4ea57218982dc3741237e1a6eb52197115d4a25a3 Severity: high
Description: Description\ Both the refundDisputers and _refundDisputers functions don’t actually transfer any funds to disputers.
The transfer logic is missing in both functions.
_refundDisputers only set the bondClaimable mapping to true for the disputer addresses.
bondClaimable[_disputersToRefund[i]][_vault][_claimId] = true;Attack Scenario\ Disputers eligible to refund cannot be refunded.
Attachments https://github.com/hats-finance/hats-contracts/blob/0d6ebbde912bc272d9b310140d434ee2aacd36d3/contracts/HATArbitrator.sol#L204-L230
Proof of Concept (PoC) File
Transfer logic is missing in the below code:
function refundDisputers( IHATClaimsManager _vault, bytes32 _claimId, address[] calldata _disputersToRefund ) external onlyExpertCommittee onlyChallengedActiveClaim(_vault, _claimId) onlyResolvedDispute(_vault, _claimId) { _refundDisputers(_vault, _claimId, _disputersToRefund); }
function _refundDisputers( IHATClaimsManager _vault, bytes32 _claimId, address[] calldata _disputersToRefund ) internal { for (uint256 i = 0; i < _disputersToRefund.length; ) { bondClaimable[_disputersToRefund[i]][_vault][_claimId] = true; unchecked { ++i; } }
}
Revised Code File (Optional)