Lines of code

Vulnerability details

Impact

A disputer loses their deposited dispute tokens if someone disputes the tree after them.

Proof of Concept

The Distributor.disputeTree function is used to dispute a Merkle tree. The function requires the caller to deposit disputeAmount of disputeToken; the caller address is stored in the disputer state variable.

When a dispute is resolved by the governor/guardian via a call to Distributor.resolveDispute, the deposited funds are return to the disputer if the dispute is recognized as valid by the governor/guardian.

Since the Distributor.disputeTree function is not restricted (a tree can be disputed by anyone), it’s likely that when an invalid/malicious tree is submitted, there will be multiple parties willing to dispute it (e.g. the distribution creator and some of the reward claimants). However, any subsequent call to disputeTree will override the disputer address, and thus the previous disputer won’t be able to get their deposited tokens back after the resolution of the dispute.

Tools Used

Manual review

Recommended Mitigation Steps

Consider this change:

diff --git a/contracts/Distributor.sol b/contracts/Distributor.sol
index bc4e49f..df56f5f 100644
--- a/contracts/Distributor.sol
+++ b/contracts/Distributor.sol
@@ -231,7 +231,8 @@ contract Distributor is UUPSHelper {
     /// @notice Freezes the Merkle tree update until the dispute is resolved
     /// @dev Requires a deposit of disputeToken that'll be slashed if the dispute is not accepted
     /// @dev It is only possible to create a dispute for disputePeriod after each tree update
     function disputeTree(string memory reason) external {
+        if (disputer != address(0)) revert UnresolvedDispute();
         if (block.timestamp >= endOfDisputePeriod) revert InvalidDispute();
         IERC20(disputeToken).safeTransferFrom(msg.sender, address(this), disputeAmount);
         disputer = msg.sender;

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions