Refunding deposit from a tiered percentage bounty can break claiming
Summary
Refunding deposit from a tiered percentage bounty after it was frozen will break reward claims
Vulnerability Detail
When tiered bounty is frozen, snapshot of token amounts is taken and put into fundingTotals array. However, if one of the bounty deposits is refunded, that snapshot is not updated. As a result, claim will fail as it will attempt to transfer tokens that no longer belong to the contract.
This can be exploited by an attacker by making a deposit and then refunding it as soon as the bounty is frozen. The following test case reverts because link deposit was refunded. Second claimant is unable to receive the bounty
libratus
high
Refunding deposit from a tiered percentage bounty can break claiming
Summary
Refunding deposit from a tiered percentage bounty after it was frozen will break reward claims
Vulnerability Detail
When tiered bounty is frozen, snapshot of token amounts is taken and put into
fundingTotals
array. However, if one of the bounty deposits is refunded, that snapshot is not updated. As a result, claim will fail as it will attempt to transfer tokens that no longer belong to the contract.This can be exploited by an attacker by making a deposit and then refunding it as soon as the bounty is frozen. The following test case reverts because link deposit was refunded. Second claimant is unable to receive the bounty
Impact
Tiered percentage bounty claim process can be broken
Code Snippet
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredPercentageBountyV1.sol#L115-L120
Tool used
Manual Review
Recommendation
Re-calculate fundingTotals when refund is made
Duplicate of #266