Closed sherlock-admin2 closed 4 weeks ago
Escalate
Issue should be valid.
Escalate
Issue should be valid.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Would be appreciated if you point out the reason on why you think this is valid @samuraii77
I think the report explains it very well, not sure what to add to it. It is a clear issue disallowing users to claim their rewards in the case explained above. If anything in particular is unclear, please let me know and I will answer.
In this explained scenario owner can return transferred amount to contract, so users can claim their tokens.
That's true and I am aware of this scenario but imagine what that would look like in a real scenario:
Being extremely conservative here, it is very unlikely that all of this will be fixed in less than a day. It might take a few days and especially if that was during the weekend, it will take even longer. Keep in mind that this can then occur for every single time someone takes out his tokens, that will create a lot of issues and disputes.
Also, imagine the case explained in the parenthesis in step 2 occurs. She has waited for her tranche to unlock for over a year and has timed an important purchase the day of the unlock, possibly something extremely important as an apartment purchase. The funds will unlock on Friday and she will immediately claim them and withdraw them to her bank in order to make that important purchase scheduled for Friday. The issue explained in my report occurs and now she can't do it. As explained above, it will probably take at least until Monday until the issue is taken care of and she can take out her tokens. As that was a super important purchase she timed particularly for that day, she is in an extremely bad situation and might not even be able to make her super important purchase.
At the very least, this issue constitutes to be of Medium severity, the impact is clearly there and the likelihood is extremely high.
Firstly, if what you describe above is the case, then I believe it's DOS of Alice, but it fairly can be resolved in less than 1 week and I'm not sure it's a time-sensitive function (in general, not only for one user). Secondly, wouldn't this line revert in that case records[beneficiary].total -= uint120(diff);
?
I reported the root cause of this as a Low. See github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update-judging/issues/68, #3
I'll be a little more brief than usual because I'm about to go to bed, but, basically: this scenario boils down to "if the contract is underfunded, then the contract is underfunded, and people can't withdraw funds until it becomes more funded." Which seems, like, not an issue. The protocol is very intentionally designed to allow the admin to adjust a user's total below their already claimed amount.
@WangSecurity it doesn't revert, the issue explained is possible. If I am not mistaken due to not looking at the contract code right now, this does not revert as total
never changes, just the claimed amount changes and from that, the contract computes the amount claimable.
Also, I believe that since the explained scenario in my last comment with Alice making an important purchase is actually possible, then this can be considered a time sensitive function. There is no mathematics we can do here to decide what % of people would need the money immediately but we can safely assume that some will, thus the function can be considered time sensitive.
Also, about the locking of funds, the DoS period is unknown. It can be a year for all we know, it lasts until someone sends funds into the contract.
And to answer jkoppel
, with all due respect, I believe you did not notice this exact issue. Judging from your report, you use the word somehow
implying that you don't actually know how that could happen (unless not funded in the first place which is a separate issue I have submitted). I believe that you would have submitted this issue as a Medium at the very least if you noticed that issue as that is clearly problematic.
Hi samuraii77! Nope! I use the word somehow
because it's not a significant issue even if it does happen. If something else makes the contract insolvent, like just plain underfunding it, then that something else is the root cause. And I don't think this scenario is problematic at all. If the owner takes out more funds than are owed to users, they'll have to put some of those funds back in.
Firstly, I agree that this function can time-sensitive for specific users in specific situations. But, I don't see it as time-sensitive in general (unlike managing trading positions, for example).
Secondly, Let's look at a couple of code comments:
adjust
function:* @dev Adjust the quantity claimable by a user, overriding the value in the distribution record.
DistributionRecord
:
uint120 total; // total token quantity claimable uint120 claimed; // token quantity already claimed
So, as we see the function adjust
has to change the quantity claimable by a user which is the definition of total
. Hence, the function is doing what it is expected to.
But, still the situation in this report may still happen. But the admin can simply refund the contract with the user funds. I believe this issue is about DOSing the user (Alice in the example), but as I've explained at the beginning, it's not a time-sensitive function, and can be solved in less than 7 days.
Hence, planning to reject the escalation and invalidate the report.
Result: Invalid Unique
samuraii77
high
Incorrect require statement can cause user to be unable to claim
Summary
Incorrect require statement can cause user to be unable to claim
Vulnerability Detail
The owner can call
AdvancedDistributorInitializable#adjust()
in order to adjust the amount that a user can claim:The issue here is in this require statement:
The require statement should actually check for the unclaimed tokens and not the total tokens of a particular user.
Imagine the following scenario:
total
variable is equal to 200 tokens and the contract has the needed amount of tokens, 200 tokensadjust()
with the right input (address of Bob and -100 tokens) but Bob frontruns him and takes out his tokenstotal
variable is now 100 (200 - 100) and the total claimable tokens for Bob is 0 (100 - 100)Now, the contract balance is 0 as Bob already took out his 100 tokens and the owner got the other 100 tokens because the require statement should have actually checked for the unclaimed tokens of Bob and reverted instead of checking for his total claimable tokens. Alice tries to withdraw her 100 tokens but since the balance of the contract is 0, she will not be able to.
Impact
Incorrect require statement can cause user to be unable to claim
Code Snippet
https://github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update/blob/67edd899612619b0acefdcb0783ef7a8a75caeac/contracts/packages/hardhat/contracts/claim/factory/AdvancedDistributorInitializable.sol#L124-L145
Tool used
Manual Review
Recommendation
Make the following change: