Project party can unilaterally change price payed at task completion #302
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L386
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L330
Vulnerability details
Impact
If there has been more than a change in a task's cost through mulitple calls to
changeOrder()
, signatures previously passed can be replayed by one party to change the price payed for the task without consent of the other parties by frontrunning call tosetComplete()
.Proof of Concept
A task's cost can be changed multiple times during negotiations between builder/contractor and subcontractor by calling
changeOrder()
. Let's say it is changed two times beforesetComplete()
is finally called and the subcontractor is payed. If for example the second change sets a cost which is smaller than the first change, then the subcontractor can replay the first change by frontrunningsetComplete()
, changing the order cost just before payment and managing to be payed more than expected.Recommended Mitigation Steps
It is suggested to include a nonce into the signed data and comparing it with the current nonce (as done elsewhere in the code) to avoid signature replays.
The text was updated successfully, but these errors were encountered: