Finished tasks can be changed #87
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/f2498c86dbd0e265f82ec76d9ec576442e896a87/contracts/Project.sol#L415
Vulnerability details
Impact
In
changeOrder
when the cost of a task is changed, it is not checked if the task is already finished. If this is the case (in which casetasks[_taskID].alerts[1]
is true), the consequences are quite severe. When the new cost is lower than the old one, the difference is withdrawn to the builder's account. When the cost is higher,totalAllocated
is either increased (resulting in wrong values for this variable) or the task is unapproved again and funds are unallocated.Similarly, the owner can also be changed for a finished task, which sets the task to inactive again. This is especially bad in combinatin with
recoverTokens
, as the function requires all tasks to be finished when recovering funds for the currency of the project.Recommended Mitigation Steps
Do not allow any changes for finished tasks.
The text was updated successfully, but these errors were encountered: