Builder can call Community.escrow
again to reduce debt further using same signatures
#161
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L509
Vulnerability details
Impact
Since there is no nonce in the data decoded at the beginning of function
escrow
, a builder can call the function multiple times reducing their debt as much as they wish.Proof of Concept
enter a barsign a message that will reduce the debt of the builder by $5,000, upon receipt of physical cash.escrow
is called and debt is reduced to $45,000._data
and_signature
then callsescrow
a further 9 times reducing their debt to zero.Recommended Mitigation Steps
Similar to function
publishProject
, add a new field into the ProjectDetails struct calledescrowNonce
.Modify function
escrow
to check this nonce and update it after the debt has been reduced.See the diff below for full changes.
The text was updated successfully, but these errors were encountered: