57676 sc high cross token accounting in receiver allows permanent freezing of erc20 royalty payouts
Description
Issue description
// src/receiver/receiver.cairo
#[storage]
struct Storage {
payees: Vec<ContractAddress>,
shares: Map<ContractAddress, u16>,
total_released: u256, // BUG: not keyed by payment_token
released: Map<ContractAddress, u256>, // BUG: not keyed by payment_token
}
fn _release(
ref self: ContractState, payment_token: ContractAddress, to: ContractAddress,
) -> u256 {
let token = IERC20Dispatcher { contract_address: payment_token };
let total_released = self.total_released.read(); // uses global total
let released = self.released.read(to); // uses global per-payee
let to_release = self
._pending_payment(
to, token.balance_of(get_contract_address()) + total_released, released,
);
if to_release == 0 { return 0; }
self.released.write(to, released + to_release);
self.total_released.write(total_released + to_release);
token.transfer(to, to_release); // reverts if balance insufficient
...
}Impact
Recommended mitigation steps
Proof of Concept
Running the PoC
Logs from the test run
References
Previous57452 sc high on chain quoter reliance and spot price based swaps enable pool manipulation and value extraction from protocol controlled conversions usdc long Next57580 sc medium signature replay enables frontrunning of produce producecredittoken
Was this helpful?