Skip to content

Latest commit

 

History

History
116 lines (82 loc) · 3.03 KB

069.md

File metadata and controls

116 lines (82 loc) · 3.03 KB
Raw

Urban Vinyl Koala

High

In VVVVCTokenDistributor.sol::claim() the claim function will always revert if nonce of _params is zero.

Summary

In function VVVVCTokenDistributor.sol::claim()

    function claim(ClaimParams memory _params) public {
        if (claimIsPaused) {
            revert ClaimIsPaused();
        }

        if (_params.projectTokenProxyWallets.length != _params.tokenAmountsToClaim.length) {
            revert ArrayLengthMismatch();
        }
        
        if (_params.nonce <= nonces[_params.kycAddress]) {
            revert InvalidNonce();
        }

        if (!_isSignatureValid(_params)) {
            revert InvalidSignature();
        }

        // update nonce
        nonces[_params.kycAddress] = _params.nonce;

        // define token to transfer
        IERC20 projectToken = IERC20(_params.projectTokenAddress);

        // transfer tokens from each wallet to the caller
        for (uint256 i = 0; i < _params.projectTokenProxyWallets.length; i++) {
            projectToken.safeTransferFrom(
                _params.projectTokenProxyWallets[i],
                msg.sender,
                _params.tokenAmountsToClaim[i]
            );
        }

        emit VCClaim(
            _params.kycAddress,
            _params.projectTokenAddress,
            _params.projectTokenProxyWallets,
            _params.tokenAmountsToClaim,
            _params.nonce
        );
    }

in code line -

https://github.com/sherlock-audit/2024-11-vvv-exchange-update/blob/1791f41b310489aaa66de349ef1b9e4bd331f14b/vvv-platform-smart-contracts/contracts/vc/VVVVCTokenDistributor.sol#L115

        if (_params.nonce <= nonces[_params.kycAddress]) {
            revert InvalidNonce();
        }

if _params.nonce is 0, then it will always revert because _params.nonce = nonces[_params.kycAddress] = 0. This will lead to DOS of claim function for params whose nonce is 0.

Root Cause

_params.nonce being 0, for a claimParams.

Internal pre-conditions

  1. A params contains a nonce with 0 value.

External pre-conditions

No response

Attack Path

No response

Impact

It will cause the claim function to revert everytime if the nonce of ClaimParams parameter is 0. and it can lead to forever stuck of user's claimable token.

PoC

No response

Mitigation

Handling the case with nonce 0, possible changes -

// Creating a mapping zeroNonceStatus
// it will check if nonce of ClaimParams is 0, set it to true.
mapping (ClaimParams => bool) public zeroNonceStatus;
    function claim(ClaimParams memory _params) public {
        // Other logic...
        
        // Check nonce 0 has not been used before, if it's used before code will revert here.
        require (zeroNonceStatus[_params] == false, "Nonce 0 is not allowed");
        
        if (_params.nonce != 0) {
            if (_params.nonce <= nonces[_params.kycAddress]) {
                revert InvalidNonce();
            }
        } else {
            zeroNonceStatus[_params] = true;
        }

        // Other logic...
    }