Project.addTasks() wouldn't work properly when it's called from disputes contract. #233
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L238
Vulnerability details
Impact
addTasks()
function checks this require() to make sure_taskCount
is correct.But it might revert when this function is called after a dispute because it takes a certain time to resolve disputes and other tasks might be added meanwhile.
Proof of Concept
The below scenario would be possible.
_taskCount = 10
andtaskCount
will be 11 after addition here._taskCount = 10
, but it will revert here.So currently, the project builder and contractor shouldn't add new tasks to make their previous dispute valid.
I think it's reasonable to modify that they can add other tasks even though there is an active dispute.
Tools Used
Solidity Visual Developer of VSCode
Recommended Mitigation Steps
I think we can modify not to compare taskCount when it's called from disputes contract.
So we can modify this part like below.
The text was updated successfully, but these errors were encountered: