If past subcontractor has been kicked, he can steal funds from new subcontractor for task completed. #128
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L386-L490
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L330-L359
Vulnerability details
Impact
I have already commited the issue with the repeated calls of Project.changeOrder() by anyone.
Here is a worse usecase - past subcontractor can steal funds from new subcontractor for task completed.
Subcontractor's fund for completion can be stolen by a previous subcontractor (if any). Bad subcontractor can frontrun setComplete() transaction, if he calls Project.changeOrder() with already disclosed data+signature, set himself an active subcontractor and receives funds from task completed.
Proof of Concept
Project.changeOrder() is used to change subcontractors for tasks and costs for tasks.
Once this transaction is in history - it can be repeated by anyone using the same data+signature.
And here is setComplete() function.
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L330-L359
It makes a task completed and transfers money to a subcontractor.
The attack is:
Tools Used
Hardhat
Recommended Mitigation Steps
Add nonce in data or store used data+signature
The text was updated successfully, but these errors were encountered: