Our bug bounty program is officially closed as we prepare to deploy the SDT Smart Contracts later this week. We would like to thank those from the community who participated by trying to hack our code.
One moderate severity vulnerability was found and is described below, including the new Github commit.
Reproduction Steps
Impact
This vulnerability allows an attacker to steal all money in the escrow system.
Suggested Remediation
Use safe addition when performing sensitive actions.
release method: In this method there are 2 transfers: token.transfer(_recipient, lock.value) and token.transfer(msg.sender, lock.fee); since value + fee is higher than 2**256 it’s impossible to have a successful execution of the release method.
Github
token.transfer(_recipient, lock.value);
if (lock.fee > 0) {
token.transfer(msg.sender, lock.fee);
}
claim method: In this method there is only one transfer: token.transfer(msg.sender, lock.value + lock.fee); since this is an unhandled sum it will produce exactly the same overflow value caused during the escrow fund. So, the amount withdrawn from the contract will be exactly the same amount used to fund the escrow.
Github
token.transfer(msg.sender, lock.value + lock.fee);
Therefore this doesn’t seem to be a exploitable function, and the effect of the overflow would only affect the attacker creating an unreleasable (but claimable) escrow record.
Even though this doesn’t seem to affect anyone besides the attacker with current contracts, this has been categorized as a moderate severity vulnerability because escrow contract is meant to be upgradeable and this could restrict the scope or introduce errors in future updates.
Thanks again to those of you who participated. The SDT Smart Contracts will launch on June 1. We invite you to join us for further updates on Telegram.