Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any user can create distribution to gain funds from TokenDistributor contract #308

Open
code423n4 opened this issue Sep 19, 2022 · 4 comments
Open

Any user can create distribution to gain funds from TokenDistributor contract #308

code423n4 opened this issue Sep 19, 2022 · 4 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L98-L115
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L118-L135

Vulnerability details

Impact

TokenDistributor.createNativeDistribution() and TokenDistributor.createErc20Distribution() allows anyone to create token distribution for eth or erc20 token. A user can monitor the erc20 token or eth balance of the token distributor balance and create a distribution for themselves whenever the tokens balance is greater than _storedBalances

This can be quite profitable for users monitoring the contract and they gain funds for free at the expense of any user who sent funds direct to the contract.

Once the distribution has been created, the user can call claim() or claimFee() depending on the user input during the distribution creation and be transferred the funds balance difference.

Proof of Concept

https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L190-L222

  1. TokenDistributor contract has balance of 20 eth.
  2. Bob monitors the contract and notices that some user had unknowingly or intentionally sent 1 eth to the contract.
  3. Bob calls createNativeDistribution() ensuring that they are the recipient and feeBps is 1e4
  4. The distribution is created
  5. Bob calls TokenDistributor.claimFee() with his address as recipient and a custom DistributionInfo such that;
    info.tokenType = TokenType.Native
    info.token = NATIVE_TOKEN_ADDRESS
    info.feeRecipient = Bob
    info.fee = 1 eth
  6. Bob would receive 1eth as the input would pass and the _transfer() called made to send eth to Bob as the receiver.

Tools Used

Manual review

Recommended Mitigation Steps

Apply necessary access controls
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Sep 19, 2022
code423n4 added a commit that referenced this issue Sep 19, 2022
@code423n4
cryptphi issue #308
5e4b4d6
@merklejerk merklejerk added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Sep 22, 2022
@merklejerk
Copy link
Collaborator

This is unsanctioned usage. The distributor is not supposed to be used in this way. You must transfer and create a distribution in the same transaction, or else you risk losing access to your transfer.

@trust1995
Copy link

@merklejerk Do you consider this a high severity finding? Because using sponsor-ack is confirming the severity, which does not sound like the case here (requires direct misuse of the API)

@HardlyDifficult
Copy link
Collaborator

Agree with the sponsor here - that requirement is noted in comments. The report aims to protect against user error which is Low risk.

Downgrading and converting this into a QA report for the warden.

@HardlyDifficult HardlyDifficult added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Sep 30, 2022
@HardlyDifficult HardlyDifficult mentioned this issue Oct 6, 2022
Closed
@HardlyDifficult
Copy link
Collaborator

Merging with #310

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@merklejerk @trust1995 @HardlyDifficult @code423n4