Lack of sufficient checks in receiveFunds when transferring an ERC20 token means a funder can lose native token if msg.value is mistakenly passed in the function call.
Vulnerability Detail
receiveFunds allows a funder to transfer tokens to a bounty. It separates two cases: if funding is done with MATIC, and if it is done with ERC20 tokens.
The issue is that in the ERC20 token branch (l44), it does not check msg.value == 0. If the funder mistakenly passed a non-zero msg.value, they will never be able to retrieve this amount.
Impact
The funder loses that amount of MATIC.
Calling refundDeposit will not allow them to retrieve it, as the tokenAddress[_depositId] will be the ERC20 token address, not address(0).
joestakey
medium
funder can lose native token in
receiveFunds
Summary
Lack of sufficient checks in
receiveFunds
when transferring anERC20
token means a funder can lose native token ifmsg.value
is mistakenly passed in the function call.Vulnerability Detail
receiveFunds
allows a funder to transfer tokens to a bounty. It separates two cases: if funding is done withMATIC
, and if it is done withERC20
tokens.The issue is that in the ERC20 token branch (l44), it does not check
msg.value == 0
. If the funder mistakenly passed a non-zeromsg.value
, they will never be able to retrieve this amount.Impact
The funder loses that amount of
MATIC
. CallingrefundDeposit
will not allow them to retrieve it, as thetokenAddress[_depositId]
will be theERC20
token address, not address(0).Code Snippet
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L41-L45
Tool used
Manual Review
Recommendation
Duplicate of #288