Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project.addTasks() wouldn't work properly when it's called from disputes contract. #233

Open
code423n4 opened this issue Aug 6, 2022 · 0 comments
Open

Project.addTasks() wouldn't work properly when it's called from disputes contract. #233

code423n4 opened this issue Aug 6, 2022 · 0 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") valid

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L238

Vulnerability details

Impact

addTasks() function checks this require() to make sure _taskCount is correct.

But it might revert when this function is called after a dispute because it takes a certain time to resolve disputes and other tasks might be added meanwhile.

Proof of Concept

The below scenario would be possible.

  • A project contains 10 active tasks(taskCount = 10) and a builder and contractor are going to add one more task.
  • There were some disagreements between a builder and contractor so they raised a dispute with _taskCount = 10 using raiseDispute().
  • Normally it would take a certain time(like 1 day or more) to resolve the dispute as it must be done by HomeFi owner.
  • Meanwhile, if the builder and contractor need to add another task, they should set _taskCount = 10 and taskCount will be 11 after addition here.
  • After that, the HomeFi admin agreed to add a task with _taskCount = 10, but it will revert here.

So currently, the project builder and contractor shouldn't add new tasks to make their previous dispute valid.

I think it's reasonable to modify that they can add other tasks even though there is an active dispute.

Tools Used

Solidity Visual Developer of VSCode

Recommended Mitigation Steps

I think we can modify not to compare taskCount when it's called from disputes contract.

So we can modify this part like below.

if (_msgSender() != disputes) {
    require(_taskCount == taskCount, "Project::!taskCount");
}
else {
    _taskCount = taskCount;
}
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 6, 2022
code423n4 added a commit that referenced this issue Aug 6, 2022
@code423n4
hansfriese issue #233
0614296
@parv3213 parv3213 added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Aug 16, 2022
@parv3213 parv3213 mentioned this issue Aug 18, 2022
Closed
@JeeberC4 JeeberC4 reopened this Aug 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@parv3213 @code423n4 @jack-the-pug @JeeberC4