Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
A malicious actor may prevent a counterpart from submitting a valid rating #428
A malicious actor may exploit a vulnerability in the contract to a block a counterpart from submitting a valid rating. Such action will harm the reputation of a counterpart.
Steps to Reproduce (for bugs)
A submission on an empty string should be rejected as it's a special value that indicates a lack of rating which is validated in the
Although the submission regards the same role the
Therefore the counterpart is blocked from submitting a valid rating and it will receive a reputation penalty for which it shouldn't be blamed at all.
I suggest validating the
added a commit
Nov 12, 2018
added a commit
Nov 13, 2018
Thanks for the submission @jakub-wojciechowski !
Overall the likelihood is towards the low end of "Medium" in owasp terms as this is only exploitable by poorly performing task worker or evaluator with some level of technical knowledge (submitting an empty rating won't be possible through the dApp). The impact is "Low" as this only affects the worker and evaluator not earning the correct reputation and worker potentially getting paid when they shouldn't have been. Even though this can potentially affect multiple tasks across multiple colonies, the 5 day buffer period lowers the impact considerably.