Any user can create distribution to gain funds from TokenDistributor contract #308
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L98-L115
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L118-L135
Vulnerability details
Impact
TokenDistributor.createNativeDistribution() and TokenDistributor.createErc20Distribution() allows anyone to create token distribution for eth or erc20 token. A user can monitor the erc20 token or eth balance of the token distributor balance and create a distribution for themselves whenever the tokens balance is greater than
_storedBalances
This can be quite profitable for users monitoring the contract and they gain funds for free at the expense of any user who sent funds direct to the contract.
Once the distribution has been created, the user can call claim() or claimFee() depending on the user input during the distribution creation and be transferred the funds balance difference.
Proof of Concept
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/distribution/TokenDistributor.sol#L190-L222
createNativeDistribution()
ensuring that they are the recipient andfeeBps
is 1e4info.tokenType = TokenType.Native
info.token = NATIVE_TOKEN_ADDRESS
info.feeRecipient = Bob
info.fee = 1 eth
Tools Used
Manual review
Recommended Mitigation Steps
Apply necessary access controls
The text was updated successfully, but these errors were encountered: