changeOrder can change completed tasks to inactive, which can be used to steal project money #132
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/libraries/Tasks.sol#L160-L164
Vulnerability details
Impact
changeOrder
callsunApprove
on a task, butunApprove
doesn't check for current task status (although comments suggests it should haveonlyActive
modifier). This allows to change completed tasks to inactive. Coupled with replay attack, this allows for malicious subcontractor to steal all project money in certain circumstances. Example flow:SC1
is assigned to all taskstask 1
toSC2
(callschangeOrder
ontask 1
toSC2
)task 1
toSC3
(callschangeOrder
ontask 1
toSC3
)SC3
finishestask 1
and builder+contractor callsetComplete
ontask 1
, which pays the task cost toSC3
SC3
re-playschangeOrder
toSC2
(using the same data and available signatures of builder and/or contractor), which putstask 1
intoinactive
state (changing to another subcontractor is required as the code only callsunApprove
if subcontractor changes)SC3
re-playschangeOrder
toSC3
transaction (the same data + signatures)SC3
accepts invitation (task status is now active, and all alerts are set, including task funded alert)SC3
re-plays setComplete transaction (the same data + signatures), which completestask 1
again and pays outSC3
againSC3
repeats steps 5-8 to get all available (allocated but not paid) money from the project.There are also more complex scenarios possible, where
changeOrder
changes task cost only, asunApprove
is called in such case too (together withunAllocateFunds
) but only if there is not enough allocated funds to pay increased task cost, so it's harder to use.Proof of Concept
Copy these to test/Hack.ts and test/utils/hack.ts run:
yarn test test/Hack.ts
https://gist.github.com/panprog/e9d5ad24b9bdf4ea6efabad5da385d0b
Recommended Mitigation Steps
Do not allow
unApprove
to change task state fromComplete
(depending on intentended functionality it might be possible to call unApprove on Inactive tasks, or only for Active tasks).The text was updated successfully, but these errors were encountered: