StandardBounties Vulnerability Discovered
At 11:45AM EST today, the Bounties Network team was alerted of a critical severity bug which put funds in jeapordy, by Niran Babalola of the ConsenSys Diligence team.
The re-entrancy bug exists when individuals use malicious token contracts with StandardBounties, while contributing to the the bounty. Specifically:
1. Create a bounty using a malicious token contract that also functions as a proxy. The issuer and the token are both set to this contract.
2. When transfer is called, send a transaction to StandardBounties to change the token of the bounty to ether.
3. When transfer returns, the bounty will be using ether, but the balanceOf check is still pointed at the token, which can return the expected balance.
4. The deposit function will continue, and the balance will be incremented. There’s a positive balance with ether set as the token, but no ether was ever deposited.
In response to this discovery, all bounties in the StandardBounties registry have been killed, and no funds remain at risk. We have put a pause on all platform functionality as we rearchitect the contract, to simplify it and avoid any future attacks.
While no funds were lost due to this bug, it serves as yet another reminder that in the byzantine environment of smart contract programming, one can never trust any external contract calls that are made.
