Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

claimFees may end up locking user funds #39

Open
code423n4 opened this issue Nov 14, 2021 · 1 comment
Open

claimFees may end up locking user funds #39

code423n4 opened this issue Nov 14, 2021 · 1 comment
Assignees
@maximebrugel
Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)

Comments

@code423n4
Copy link
Contributor

Handle

0xngndev

Vulnerability details

Impact

In the NestedBuybacker contract, the function claimFees is set to public, meaning anyone can call that function. The function makes a call to feeSplitter.releaseToken(), a function that calculates the amount of fees owed to the msg.sender, and transfers that amount to the msg.sender.
If user A is a shareholder who is owed fees and calls the claimFees function, he would be the msg.sender of claimFees, but the NestedBuybacker contract would be the msg.sender of the internal call claimFees does to feeSplitter.releaseToken, meaning that feeSplitter.releaseToken would transfer tokens to NestedBuybacker instead of transferring them to User A.

Furthermore, there's no dust collector or withdraw function in the Nestedbuybacker contract, meaning that if this scenario ever plays out, those funds would be locked.

Recommended Mitigation Steps

An easy solution would be to make claimFees and internal function in NestedBuybacker. If an user wants to withdraw their fees, they can always call releaseToken in the feeSplitter contract, which is also public.
@code423n4 code423n4 added 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working labels Nov 14, 2021
code423n4 added a commit that referenced this issue Nov 14, 2021
@code423n4
0xngndev issue #39
86c56cc
@adrien-supizet
Copy link
Collaborator

We agree that the claimFees function should be internal and not public.
Although the behavior described is inaccurate. The FeeSplitter would always transfer the funds to the NestedBuyBacker and not to the caller of the NestedBuyBacker.

Confirmed but severity should be non critical

@adrien-supizet adrien-supizet added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Nov 18, 2021
@maximebrugel maximebrugel self-assigned this Dec 14, 2021
@maximebrugel maximebrugel mentioned this issue Dec 14, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maximebrugel maximebrugel

Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maximebrugel @adrien-supizet @code423n4