Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No checks for ongoing dispute before some Ciritical Actions #171

Open
code423n4 opened this issue Aug 6, 2022 · 0 comments
Open

No checks for ongoing dispute before some Ciritical Actions #171

code423n4 opened this issue Aug 6, 2022 · 0 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue valid

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Project.sol#L330
https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Project.sol#L386
https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Project.sol#L219

Vulnerability details

Impact

There are 3 instances where a check for ongoing dispute should have been done at the start of the functions, however there were no such checks.

Using setComplete as an example, it was documented in contest page .... If there is no ongoing dispute about that project, task status is updated and payment is made.... , looking at the code, when a TaskPay actionType dispute has been raised for a Task on the project, setComplete() can still be called successfully.

Above is similar to the orderChange() and addTask() functions.

Tools Used

Manual review

Recommended Mitigation Steps

A check for dispute present should be done at the start of the function calls for addTask, orderChange and setComplete functions.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 6, 2022
code423n4 added a commit that referenced this issue Aug 6, 2022
@code423n4
cryptphi issue #171
7795ab0
@parv3213 parv3213 added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Aug 17, 2022
@jack-the-pug jack-the-pug added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax valid and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Aug 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@parv3213 @code423n4 @jack-the-pug