changeOrder requires subcontractor signature when the subcontractor address is 0 #85
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/f2498c86dbd0e265f82ec76d9ec576442e896a87/contracts/Project.sol#L402
https://github.com/code-423n4/2022-08-rigor/blob/f2498c86dbd0e265f82ec76d9ec576442e896a87/contracts/Project.sol#L485
Vulnerability details
Impact
Via
changeOrder
, it is possible to set the subcontractor address to 0 (and it is zero when no one is invited). However, when it is updated later again, a signature of the "current subcontractor" (in this caseaddress(0)
) is still required. This is in contrast to contractors, where the signature is only required when the contractor address is non-zero.Proof Of Concept
1.) Task 1 is assigned to the subcontractor Bob.
2.)
changeOrder
with Bob's signature is used to assign task 1 temporarily to address 0 while a new subcontractor is searched.3.) The price of the task should be changed, which requires the signature of the "current subcontractor" (i.e.,
address(0)
)To be fair, because
SignatureDecoder.recoverKey
returnsaddress(0)
for invalid signatures, an invalid signature could in theory be submitted in step 3. But I do not assume that this is really intended (for instance, there is also the check incheckSignatureTask
, although one could simply use an invalid signature when it isaddress(0)
) and a design that requires the user to submit invalid signatures in certain scenarios would also be very poor in my opinion.Recommended Mitigation Steps
Check if the subcontractor address is zero, do not require a valid signature in such cases.
The text was updated successfully, but these errors were encountered: