Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malicious delegated contractor can block funding tasks or mark tasks as complete #320

Open
code423n4 opened this issue Aug 6, 2022 · 1 comment
Open

Malicious delegated contractor can block funding tasks or mark tasks as complete #320

code423n4 opened this issue Aug 6, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons valid

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Project.sol#L219
https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Project.sol#L655
https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Project.sol#L807

Vulnerability details

Impact

A malicious delegated contractor can add a huge number of tasks (or one task with a huge cost). This would then pose problems in allocateFunds() as tasks could not be funded. Builder could remove delegation for the contractor but couldn't replace the contractor and so couldn't remove the malicious contractor. The contractor is required to sign various state changes in Project.sol. A delegated contractor can also for example complete tasks which results in transferring funds to subcontractors.

This sounds very problematic and would be critical, but reading through the documentation and the code, I'm assuming there is certain trust incorporated and required for the system to work. Hence I'm assuming the system considers a delegated contractor is trustworthy as is the builder. So while the impact may be big I consider the likelihood quite small.

Proof of Concept

When a contractor is delegated, various operations only need his signature.
Project.sol L807

Tools Used

Visual Studio Code

Recommended Mitigation Steps

There's a couple of improvements you could consider:

  1. Create a function to update lastAllocatedTask. This could be restricted to Disputes contract or the builder. This could be used against maliciously inserted tasks.
  2. Add functionality for Disputes contract to be able to remove or replace the contractor. This would be a guard against malicious contractors.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 6, 2022
code423n4 added a commit that referenced this issue Aug 6, 2022
@code423n4
indijanc issue #320
0a119c7
@parv3213 parv3213 added sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) labels Aug 11, 2022
@jack-the-pug
Copy link
Collaborator

I like this finding, but this is probably a design choice. The suggestions make sense to me. I'll keep this as a Med.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@parv3213 @code423n4 @jack-the-pug