Malicious delegated contractor can block funding tasks or mark tasks as complete #320
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Project.sol#L219
https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Project.sol#L655
https://github.com/code-423n4/2022-08-rigor/blob/main/contracts/Project.sol#L807
Vulnerability details
Impact
A malicious delegated contractor can add a huge number of tasks (or one task with a huge cost). This would then pose problems in
allocateFunds()
as tasks could not be funded. Builder could remove delegation for the contractor but couldn't replace the contractor and so couldn't remove the malicious contractor. The contractor is required to sign various state changes inProject.sol
. A delegated contractor can also for example complete tasks which results in transferring funds to subcontractors.This sounds very problematic and would be critical, but reading through the documentation and the code, I'm assuming there is certain trust incorporated and required for the system to work. Hence I'm assuming the system considers a delegated contractor is trustworthy as is the builder. So while the impact may be big I consider the likelihood quite small.
Proof of Concept
When a contractor is delegated, various operations only need his signature.
Project.sol L807
Tools Used
Visual Studio Code
Recommended Mitigation Steps
There's a couple of improvements you could consider:
lastAllocatedTask
. This could be restricted toDisputes
contract or the builder. This could be used against maliciously inserted tasks.Disputes
contract to be able to remove or replace the contractor. This would be a guard against malicious contractors.The text was updated successfully, but these errors were encountered: