Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project.sol and Community.sol have no way to revoke a hash in approvedHashes #64

Open
code423n4 opened this issue Aug 4, 2022 · 2 comments
Open

Project.sol and Community.sol have no way to revoke a hash in approvedHashes #64

code423n4 opened this issue Aug 4, 2022 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue valid

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Community.sol#L501-L506
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/Project.sol#L108-L115

Vulnerability details

Impact

User is unable to revoke previously approved hash

Proof of Concept

If user reconsiders or notices something malicious about the hash after signing, they should be able to revoke the hash. For example the user approves a hash only to find out later that the hash has been spoofed and they weren't approving what they thought they were. To protect themselves the user should be able to revoke approval, otherwise it may lead to loss of funds or access.

Tools Used

Recommended Mitigation Steps

Add the following function:

function revokeHash(bytes32 _hash) external virtual {
    approvedHashes[_msgSender()][_hash] = false;
}
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 4, 2022
code423n4 added a commit that referenced this issue Aug 4, 2022
@code423n4
0x52 issue #64
a587e80
@parv3213
Copy link
Collaborator

Duplicate of #86

@parv3213 parv3213 marked this as a duplicate of #86 Aug 18, 2022
@itsmetechjay itsmetechjay added the duplicate This issue or pull request already exists label Aug 18, 2022
@jack-the-pug jack-the-pug mentioned this issue Sep 4, 2022
Open
@jack-the-pug jack-the-pug removed the duplicate This issue or pull request already exists label Sep 4, 2022
@JeeberC4 JeeberC4 reopened this Sep 5, 2022
@parv3213
Copy link
Collaborator

Duplicate of #86

This is a separate issue and not a duplicate. I do not find it essential to revoke a hash. As off-chain signatures can never be marked as invalid, adding this feature for on-chain signatures makes no sense.

@parv3213 parv3213 added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Sep 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@parv3213 @code423n4 @jack-the-pug @itsmetechjay @JeeberC4