search

sherlock-audit / 2023-02-openq-judging

4 stars 0 forks source link

XKET - `TieredFixedBountyV1.setFundingGoal` changes `payoutTokenAddress` #543

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

XKET

medium

TieredFixedBountyV1.setFundingGoal changes payoutTokenAddress

Summary

Vulnerability Detail

When an issuer of a tiered fixed bounty wants to set funding goal, TieredFixedBountyV1.setFundingGoal also changes payoutTokenAddress. (TieredFixedBountyV1.sol#L123-L133)

    function setFundingGoal(address _fundingToken, uint256 _fundingGoal)
        external
        override
        onlyOpenQ
    {
        fundingGoal = _fundingGoal;
        fundingToken = _fundingToken;
        hasFundingGoal = true;

        payoutTokenAddress = _fundingToken;
    }

The payoutTokenAddress is changed during setPayoutScheduleFixed. (TieredFixedBountyV1.sol#L138-L147)

    function setPayoutScheduleFixed(
        uint256[] calldata _payoutSchedule,
        address _payoutTokenAddress
    ) external onlyOpenQ {
        require(
            bountyType == OpenQDefinitions.TIERED_FIXED,
            Errors.NOT_A_FIXED_TIERED_BOUNTY
        );
        payoutSchedule = _payoutSchedule;
        payoutTokenAddress = _payoutTokenAddress;

So if payoutTokenAddress is changed during setting a funding goal, the issuer can be confused and payoutTokenAddress can be set to a wrong token by setFundingGoal. If payoutTokenAddress is set to a wrong token, claimers can't claim their payouts.

Impact

Claimers can't claim their payouts when payoutTokenAddress is set to a wrong token.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredFixedBountyV1.sol#L123-L133

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/TieredFixedBountyV1.sol#L138-L147

Tool used

Manual Review

Recommendation

Don't update payoutTokenAddress in TieredFixedBountyV1.setFundingGoal

Duplicate of #519