Submission Details
Severity:
the `UnripeFacet :: pick` function can be used to steal funds multiple times
Summary
the state variable s.unripeClaimed[token][msg.sender] = true is not checked
Vulnerability Details
user can call the function pick with their max amount they can withdraw wait for it to finish then call it again to make another
withdraw until they drain the contract.
Impact
loss of funds for users and protocol, can also cause a DOS for users who want to make a withdrawal or transfer
Tools Used
manual , fuzz test
Recommendations
add this new line of code
function pick(
address token,
uint256 amount,
bytes32[] memory proof,
LibTransfer.To mode
) external payable nonReentrant {
bytes32 root = s.u[token].merkleRoot;
require(root != bytes32(0), "UnripeClaim: invalid token");
require(!picked(msg.sender, token), "UnripeClaim: already picked");
+ require(s.unripeClaimed[token][msg.sender] ==false, "token Claimed "
bytes32 leaf = keccak256(abi.encodePacked(msg.sender, amount));
require(MerkleProof.verify(proof, root, leaf), "UnripeClaim: invalid proof");
s.unripeClaimed[token][msg.sender] = true;
LibTransfer.sendToken(IERC20(token), amount, msg.sender, mode);
emit Pick(msg.sender, token, amount);
}
Updates
Lead Judging Commences
giovannidisiena about 1 year ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
Informational/Invalid
Prize pool breakdown
Total prize
35,000 USDC
nSLOC
1,99118 USDC / LOC
30,000 USDC
1,500 USDC
3,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.