Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Finished tasks can be changed #87

Closed
code423n4 opened this issue Aug 4, 2022 · 1 comment
Closed

Finished tasks can be changed #87

code423n4 opened this issue Aug 4, 2022 · 1 comment
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate This issue or pull request already exists valid

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-08-rigor/blob/f2498c86dbd0e265f82ec76d9ec576442e896a87/contracts/Project.sol#L415

Vulnerability details

Impact

In changeOrder when the cost of a task is changed, it is not checked if the task is already finished. If this is the case (in which case tasks[_taskID].alerts[1] is true), the consequences are quite severe. When the new cost is lower than the old one, the difference is withdrawn to the builder's account. When the cost is higher, totalAllocated is either increased (resulting in wrong values for this variable) or the task is unapproved again and funds are unallocated.

Similarly, the owner can also be changed for a finished task, which sets the task to inactive again. This is especially bad in combinatin with recoverTokens, as the function requires all tasks to be finished when recovering funds for the currency of the project.

Recommended Mitigation Steps

Do not allow any changes for finished tasks.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 4, 2022
code423n4 added a commit that referenced this issue Aug 4, 2022
@code423n4
Lambda issue #87
4c20d27
@parv3213
Copy link
Collaborator

Duplicate of #132

@itsmetechjay itsmetechjay added the duplicate This issue or pull request already exists label Aug 18, 2022
@jack-the-pug jack-the-pug added 3 (High Risk) Assets can be stolen/lost/compromised directly valid and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Aug 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate This issue or pull request already exists valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@parv3213 @code423n4 @jack-the-pug @itsmetechjay