So an attacker can call DepositManagerV1.fundBountyNFT using a whitelisted ERC20 token.
isWhitelisted will pass in fundBountyNFTand and BountyCore._receiveNft will call ERC20.safeTransferFrom.
The function signature of ERC20.safeTransferFrom is the same as ERC721.safeTransferFrom. So the deposit will be successful if nftDepositLimit doesn't meet. But when claimers wants to claim the ERC20 deposit as an NFT, ERC20.safeTransferFrom will be called instead of ERC20.safeTransfer. (BountyCore.sol#L257-L264)
ERC20.safeTransferFrom(address(this), _payoutAddress, _tokenId) will revert because any of bounty contracts doesn't approve from itself to itself.
When claimers can't claim the NFT, the whole claim process will fail for atomic and tiered bounties.
Impact
Claimers can't claim for atomic and tiered bounties.
XKET
high
An attacker can prevent claimers from claiming
Summary
Vulnerability Detail
In DepositManagerV1,
fundBountyNFT
andfundBountyToken
shares the same whitelist. (DepositManagerV1.sol#L36-L50)(DepositManagerV1.sol#L113-L122)
So an attacker can call
DepositManagerV1.fundBountyNFT
using a whitelisted ERC20 token.isWhitelisted
will pass infundBountyNFTand
andBountyCore._receiveNft
will callERC20.safeTransferFrom
. The function signature ofERC20.safeTransferFrom
is the same asERC721.safeTransferFrom
. So the deposit will be successful ifnftDepositLimit
doesn't meet. But when claimers wants to claim the ERC20 deposit as an NFT,ERC20.safeTransferFrom
will be called instead ofERC20.safeTransfer
. (BountyCore.sol#L257-L264)ERC20.safeTransferFrom(address(this), _payoutAddress, _tokenId)
will revert because any of bounty contracts doesn't approve from itself to itself. When claimers can't claim the NFT, the whole claim process will fail for atomic and tiered bounties.Impact
Claimers can't claim for atomic and tiered bounties.
Code Snippet
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L36-L50 https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L113-L122 https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L257-L264
Tool used
Manual Review
Recommendation
Use different whitelist for ERC20 and NFTs.
Duplicate of #352