Platform: Code4rena
Start Date: 13/02/2024
Pot Size: $24,500 USDC
Total HM: 5
Participants: 84
Period: 6 days
Judge: 0xA5DF
Id: 331
League: ETH
Rank: 59/84
Findings: 1
Award: $25.73
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: nuthan2x
Also found by: 0x0bserver, AM, CaeraDenoir, DanielArmstrong, JrNet, Kirkeelee, KmanOfficial, Krace, Limbooo, Meera, SovaSlava, SpicyMeatball, TheSavageTeddy, agadzhalov, aslanbek, atoko, csanuragjain, d3e4, imare, jesjupyter, juancito, kartik_giri_47538, kutugu, max10afternoon, offside0011, pkqs90, turvy_fuzz, xchen1130, zhaojohnson, ziyou-
25.7286 USDC - $25.73
Changing the content of distributableERC20s array during a distribution event poses significant risks that could undermine the integrity and fairness of the token distribution process. Specifically, altering the list of distributable ERC20 tokens during an active distribution can lead to inconsistent rewards among token holders, calculation errors due to added complexity, increased gas costs, execution failures, and a potential loss of trust from the community.
The vulnerability arises from the design of the LiquidInfrastructureERC20 smart contract, where the distributeToAllHolders function can be initiated by any user, not exclusively the contract owner. This opens a scenario where a distribution process might be ongoing, unbeknownst to the contract owner. If, during this period, the owner decides to update the list of distributable ERC20 tokens through the setDistributableERC20s function, inconsistencies can occur due to the lack of synchronization between these actions.
This scenario is particularly problematic because the smart contract does not implement a mechanism to lock the distribution list during an active distribution cycle, nor does it provide a status check to inform the owner or other users of an ongoing distribution. As a result, the contract owner might inadvertently call setDistributableERC20s, expecting to prepare for a future distribution, without realizing that a distribution process has already been initiated by someone else and has not yet been finalized.
User A initiates distributeToAllHolders: The distribution process begins, intending to distribute the current set of ERC20 tokens listed at the time of the call. Owner updates distributable tokens via setDistributableERC20s: Unaware of the ongoing distribution, the owner updates the list to include a new set of ERC20 tokens. Inconsistency in Distribution: The ongoing distribution process now faces a potential mismatch in the assets it was supposed to distribute versus the assets currently listed as distributable. This could result in some token holders receiving a different set of assets than others, or the distribution could fail due to the sudden change in available assets.
Manual review
Implement locking mechanism within setDistributableERC20s function(require(!LockedForDistribution))to prevent updates to the distributable ERC20 tokens array during active distributions. This ensures consistency in the assets being distributed throughout the entire process.
Timing
#0 - c4-pre-sort
2024-02-20T04:22:43Z
0xRobocop marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-02-20T04:22:48Z
0xRobocop marked the issue as duplicate of #151
#2 - c4-pre-sort
2024-02-20T04:38:25Z
0xRobocop marked the issue as duplicate of #260
#3 - c4-judge
2024-03-04T15:09:05Z
0xA5DF marked the issue as satisfactory
#4 - c4-judge
2024-03-08T15:26:19Z
0xA5DF changed the severity to 2 (Med Risk)