Project.changeOrder
can be called multiple times with same signature
#162
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L386
Vulnerability details
Impact
There are no nonces as part of the data for updating tasks in function
changeOrder
. It is possible that a builder and sub-contractor might agree to a price increase, followed by another price increase later by signing appropriate messages. However, the builder can replay the original message and signature reducing the price down to the first price which is lower than the final price.Proof of Concept
setComplete
is eventually called the sub-contractor only gets $600 even though a new agreement existed for $1000.Recommended Mitigation Steps
Add a nonce field to the
Task
struct and make the nonce part of thechangeOrder
function. See below.The text was updated successfully, but these errors were encountered: