Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

creatorClaimSoldTokens() Does Not Check Destination Address #77

Open
code423n4 opened this issue Dec 3, 2021 · 2 comments
Open

creatorClaimSoldTokens() Does Not Check Destination Address #77

code423n4 opened this issue Dec 3, 2021 · 2 comments
Labels
0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation bug Something isn't working sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Handle

Meta0xNull

Vulnerability details

Impact

function creatorClaimSoldTokens(address destination) public lock {

Surprisingly creatorClaimSoldTokens() Does Not Transfer Token back to streamCreator who is msg.sender but rather Transfer to a New Destination Address.

Is Not Uncommon Users Accidentally Send Tokens into Contract or Zero Address.

ENS Airdrop is a Good Example Users Accidentally Send Tokens into Contract:
https://discuss.ens.domains/t/social-amend-airdrop-proposal-to-include-accidentally-returned-funds/6975

Creator will Lose His HARD EARN MONEY Either Send Token Back into Contract or Send to Zero Address (Creator Only Allowed to Call This Function Once).

Note: Creator Can't Recover His Money via recoverTokens() because It Minus depositTokenAmount That Should Claimed by Creator.

Proof of Concept

https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L583-L599
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L654

Tools Used

Manual Review

Recommended Mitigation Steps

  1. Simple solution is Transfer Token back to Msg.sender.
    ERC20(depositToken).safeTransfer(msg.sender, amount);

  2. If really need to send to destination address, then:
    require(destination != address(0), "Address Can't Be Zero")
    require(destination != address(this), "Address Can't Be This Contract")
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Dec 3, 2021
code423n4 added a commit that referenced this issue Dec 3, 2021
@code423n4
Meta0xNull issue #77
27a1767
@brockelmore brockelmore added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Dec 3, 2021
@brockelmore
Copy link
Collaborator

The stream creator should be considered competent, even more so than a user as they had to create the stream and likely created rewardToken. Additionally, this is likely to be handled in the UI.

@0xean
Copy link
Collaborator

0xean commented Jan 14, 2022

Downgrading to non-critical. This is an inherent risk of using a blockchain. A user could send funds to 0x0 as well.

@0xean 0xean added 0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Jan 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation bug Something isn't working sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@0xean @brockelmore @code423n4