Lines of code

Vulnerability details

In the current implementation, RewardDistributor._claim() is using if (token != bribeVault) { (token is from rewards[_rewardIdentifier].token) to detect whether it’s a ERC20 token or native token (ETH).

However, this is not a trustworthy way to determine whether the reward is in native token or ERC20 token, as the bribeVault can be changed.

When the bribeVault is changed with RewardDistributor.setBribeVault(), native token rewards will be mis-detected as ERC20 tokens, making RewardDistributor._claim() revert, therefore the affected users won’t be able to claim their rewards.

<https://github.com/code-423n4/2022-02-redacted-cartel/blob/92c4d5810df7b9de15eae55dc7641c8b36cd799d/contracts/RewardDistributor.sol#L152-L192&gt;

function _claim(
    bytes32 _rewardIdentifier,
    uint256 _index,
    address _account,
    uint256 _amount,
    bytes32[] calldata _merkleProof
) internal {
    Reward memory reward = rewards[_rewardIdentifier];
    // ...
    // Check whether the reward is in the form of native tokens or ERC20
    // by checking if the token address is set to the bribe vault or not
    address token = reward.token;
    if (token != bribeVault) {
        IERC20(token).safeTransfer(_account, _amount);
    } else {
        payable(_account).transfer(_amount);
    }
    // ...
}

<https://github.com/code-423n4/2022-02-redacted-cartel/blob/92c4d5810df7b9de15eae55dc7641c8b36cd799d/contracts/RewardDistributor.sol#L65-L73&gt;

function setBribeVault(address _bribeVault)
    external
    onlyRole(DEFAULT_ADMIN_ROLE)
{
    require(_bribeVault != address(0), "Invalid bribeVault");
    bribeVault = _bribeVault;

    emit SetBribeVault(bribeVault);
}

Recommendation

Consider using 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE for native token.

The text was updated successfully, but these errors were encountered:

All reactions