function _checkAndApplyIncentives() would call incentivize() for same address multiple times if sender==recipient
Summary
UbiquityDollarToken token has functionality to incentive address when they transfer Ubiquity token. code calls incentiveContract for sender, recipient, operator and global. the issue is that when calling incentiveContract[opperator] code makes sure that it's not calling the address for the second time but for sender and recipient there is no check. so if an address transfers tokens to itself then incentivize() would be called two times for that address's incentiveContract while in reality the tokens didn't transferred at all. this can give attacker ability to get incentive without really transferring tokens or it would cause wrong handling of the transfers and double profits/penalty for self transfers.
Vulnerability Detail
function _checkAndApplyIncentives() is responsible for applying incentives on Dollar transfers. as you can see in the code when calling recipientIncentive there is no check that recipientIncentive != senderIncentive and also there is no check that sender != recipient so if attacker or any users or contract send Ubiquity Dollar to itself then this function would call incentivize() for that address two time while in reality no token is transferred.
for operator's incentive code checks and makes sure that doesn't call the incentivize() for the second time.
clearly lack of check for self transfer can cause calculation problem for incentive logic and double reward/penalty can happen. there is no clear document about the incentive logic but calling two time for a fake-transfer will break most of the logics. on sample is that to give incentive based on minting another token, if incentive give profit(mint another token) or take penalty(burn another token) then self-transferring would allow minting unlimited tokens.
Impact
incentive logics can be fooled to double incentive the same address by self transferring.
unforgiven
medium
function _checkAndApplyIncentives() would call
incentivize()for same address multiple times if sender==recipientSummary
UbiquityDollarToken token has functionality to incentive address when they transfer Ubiquity token. code calls incentiveContract for
sender,recipient,operatorand global. the issue is that when callingincentiveContract[opperator]code makes sure that it's not calling the address for the second time but forsenderandrecipientthere is no check. so if an address transfers tokens to itself thenincentivize()would be called two times for that address'sincentiveContractwhile in reality the tokens didn't transferred at all. this can give attacker ability to get incentive without really transferring tokens or it would cause wrong handling of the transfers and double profits/penalty for self transfers.Vulnerability Detail
function
_checkAndApplyIncentives()is responsible for applying incentives on Dollar transfers. as you can see in the code when callingrecipientIncentivethere is no check thatrecipientIncentive != senderIncentiveand also there is no check thatsender != recipientso if attacker or any users or contract send Ubiquity Dollar to itself then this function would callincentivize()for that address two time while in reality no token is transferred.for operator's incentive code checks and makes sure that doesn't call the
incentivize()for the second time.clearly lack of check for self transfer can cause calculation problem for incentive logic and double reward/penalty can happen. there is no clear document about the incentive logic but calling two time for a fake-transfer will break most of the logics. on sample is that to give incentive based on minting another token, if incentive give profit(mint another token) or take penalty(burn another token) then self-transferring would allow minting unlimited tokens.
Impact
incentive logics can be fooled to double incentive the same address by self transferring.
Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/d9c39e8dfd5601e7e8db2e4b3390e7d8dff42a8e/ubiquity-dollar/packages/contracts/src/dollar/core/UbiquityDollarToken.sol#L89-L109
Tool used
Manual Review
Recommendation
if
sender == recipientdon't call incentive.Duplicate of #8