Hash approval not possible when contractor == subcontractor #86
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/f2498c86dbd0e265f82ec76d9ec576442e896a87/contracts/Project.sol#L859
Vulnerability details
Impact & Proof Of Concept
When a contractor (let's say Bob) is also a subcontractor (which can be a valid scenario), it is not possible to use the hash approval feature for
checkSignatureTask
. The first call tocheckSignatureValidity
will already deleteapprovedHashes[address(Bob)][_hash]
, the second call therefore fails.Note that the same situation would also be possible for builder == contractor, or builder == subcontractor, although those situations are probably less likely to occur.
Recommended Mitigation Steps
Delete the approval only when all checks are done.
The text was updated successfully, but these errors were encountered: