Protocol vulnerable to callback and or hooks tokens
Summary
Protocol vulnerable to callback and hooks tokens e.g ERC777
Vulnerability Details
The protocol does not have clear policy on types of whitelisted tokens and according to notes @NatSpec constructor "e.g. USDC, JPYCv1, JPYCv2, USDT, DAI" ProxyFactory.sol line 77 and 78 it seems preference is stablecoins and major coins without specific policies on what type fo features e.g risks these coins must have. There are major coins that have problems due to callback and hooks functionality
A callback or hook token after being paid to a winner in the above can attack protocol in the following
Run a gas intensive computation in its callback consuming all gas or revert such that all the transfers to the winners will fail due to payments in loop
Callback or hooks tokens include ERC777, ERC1363 etc
Impact
Medium Impact - this renders the protocol useless as it cant payout all the winners due it making transfers in a loop and one of the transfers fails since a token with hook or callback causes a revert
Tools Used
Manual Analysis
Recommendations
It is recommended to ensure protocol not base its policies on major coins but token risks and ensure tokens with hooks, callbacks such as ERC777 are not allowed.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.