luzzif
commented
5 months ago This is intentional and outside of the scope of the audit.
Open hats-bug-reporter[bot] opened 5 months ago
luzzif
commented
5 months ago This is intentional and outside of the scope of the audit.
mcgrathcoutinho
commented
5 months ago @luzzif There was no mention of this in the out of scope section on the Hats site. Additionally, account abstraction (EIP-3074) already has been finally approved to be live on EVM chains in the upcoming hardfork.
I'd like you to reconsider this as a valid issue since it definitely would prevent these users from claiming their rewards.
luzzif
commented
5 months ago As I said, we don't intend to support meta-transactions in the first version of the contract.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x0e085b83e6da3f97a40915a72502baf541988814e30efb4b15bdb0ed67b342cd Severity: high
Description: Description
Meta-transactions allow users with not enough gas fees to use a Gas Station Network (GSN) to pay for the gas fees for their external call.
The concept of meta-transactions can be further understood in EIP-2771 - https://eips.ethereum.org/EIPS/eip-2771
Issue
The issue in the current Metrom.sol contract is that it does not support meta-transactions. This denies the users using a GSN from claiming their rewards. It also might affect campaign owners who might be using a GSN to create campaigns or perform ownership transfers but the main impact that is likely to occur is the users not being able to claim.
Severity
Meta-transactions and GSNs are widely used due to the existence of EIP-2771. The incompatibility of the Metrom.sol contract with meta-txs prevents users from claiming their deserved rewards. As the Ethereum ecosystem expands (especially with the advent of AA), gasless transactions will become to go-to for users (especially for such campaigns).
Due to these reasons, the severity is being marked as High since users lose out on their deserved rewards on the campaign.
Attachments
https://github.com/hats-finance/Metrom-0xfdfc6d4ac5807d7460da20a3a1c0c84ef2b9c5a2/blob/e9d6b1e594d5bb3694bfe68f73399156ebb5d3a4/src/Metrom.sol#L276
Consider using OZ's Context.sol and replace msg.sender with the _msgSender() function in the claimRewards() function as well as functions that the campaign owner interacts with.