Open github-actions[bot] opened 1 year ago
Escalate for 31 USDC
my issue is not duplicate of #425.
issue #425 is: "array lists invoiceCompleteClaimIds[]
and supportingDocumentsCompleteClaimIds[]
can contain claimIds that are incomplete". that is about those array list containing extra values and the issue has no serious impact because code checks mappings to check invoice and docuements status.
my issue explains that when a tier winner gets changed (Bounty issuer change tier1 winner from User1 to User2 for any reason) code doesn't reset the values in the mappings invoiceComplete[tier1]
or supportingDocumentsComplete[tier1]
. so values in those mappings would shoe wrong values for the new tier1 winner. the POC shows how the issue happens:
- UserA creates tiered Bounty1 and set invoice and supporting documents as required for winners to claim their funds.
- UserA would set User1 as winner of tier 1 and User1 completed the invoice and oracle would set invoiceComplete[1] = true.
- UserA would change tier winner to User2 because User1 didn't complete supporting documents phase. now User2 is winner of tier 1 and invoiceComplete[1] is true and User2 only required to complete supporting documents and User2 would receive the win prize without completing the invoice phase.
Escalate for 31 USDC
my issue is not duplicate of #425.
issue #425 is: "array lists
invoiceCompleteClaimIds[]
andsupportingDocumentsCompleteClaimIds[]
can contain claimIds that are incomplete". that is about those array list containing extra values and the issue has no serious impact because code checks mappings to check invoice and docuements status.my issue explains that when a tier winner gets changed (Bounty issuer change tier1 winner from User1 to User2 for any reason) code doesn't reset the values in the mappings
invoiceComplete[tier1]
orsupportingDocumentsComplete[tier1]
. so values in those mappings would shoe wrong values for the new tier1 winner. the POC shows how the issue happens:
- UserA creates tiered Bounty1 and set invoice and supporting documents as required for winners to claim their funds.
- UserA would set User1 as winner of tier 1 and User1 completed the invoice and oracle would set invoiceComplete[1] = true.
- UserA would change tier winner to User2 because User1 didn't complete supporting documents phase. now User2 is winner of tier 1 and invoiceComplete[1] is true and User2 only required to complete supporting documents and User2 would receive the win prize without completing the invoice phase.
You've created a valid escalation for 31 USDC!
To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalation accepted
Not a valid duplicate of #425 and a valid issue
_eligibleToClaimAtomicBounty
would end up validating a user without completing the invoice phase as shown.
Escalation accepted
Not a valid duplicate of #425 and a valid issue
_eligibleToClaimAtomicBounty
would end up validating a user without completing the invoice phase as shown.
This issue's escalations have been accepted!
Contestants' payouts and scores will be updated according to the changes made on this issue.
Comment from Protocol Team:
I agree it would be better form to reset associated tiers documents + invoice to false if a tier winner is overwritten, but for now the bounty admin is a trusted party, and can always manually reset the tier afterwards.
I don't think this needs a fix at the moment
Classifying this issue as "Won't Fix."
unforgiven
medium
when issuer set new winner by calling setTierWinner() code should reset invoice and supporting documents for that tier
Summary
if invoice or supporting documents are required to receive the winning prize then tier winner should provide them. bounty issuer or oracle would set invoice and supporting document status of a tier by calling
setInvoiceComplete()
andsetSupportingDocumentsComplete()
. bounty issuer can set tier winners by callingsetTierWinner()
but code won't reset the status of the invoice and supporting documents when tier winner changes. a malicious winner can bypass invoice and supporting document check by this issue.Vulnerability Detail
if bounty issuer set invoice and supporting documents as required for the bounty winners in the tiered bounty, then tier winner should provide those and bounty issuer or off-chain oracle would set the status of the invoice and documents for that tier. but if issuer wants to change a tier winner and calls
setTierWinner()
code would changes the tier winner but won't reset the status of the invoice and supporting documents for the new winner. This is thesetTierWinner()
code in OpenQV1 and TieredBountyCore:As you can see code only sets the
tierWinner[tier]
and won't resetinvoiceComplete[tier]
orsupportingDocumentsComplete[tier]
to false. This would cause an issue when issuer wants to change the tier winner. these are the steps that makes the issue:invoiceComplete[1] = true
.invoiceComplete[1]
is true and User2 only required to complete supporting documents and User2 would receive the win prize without completing the invoice phase.Impact
malicious winner can bypass invoice and supporting document check when they are required if he is replace as another person to be winner of a tier.
Code Snippet
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredBountyCore.sol#L59-L64
Tool used
Manual Review
Recommendation
set status of the
invoiceComplete[tier]
orsupportingDocumentsComplete[tier]
to false insetTierWinner()
function.