Lock template versions can be overwritten

[code423n4]

Handle

cmichel

Vulnerability details

The Unlock.addLockTemplate function allows modifying an already existing version.

Impact

• Users that did their due diligence on the code and want to update can be frontrun by an addLockTemplate action and update to a version which they don't want. This frontrunning may happen accidentally
• Users could update to version X, then version X is updated, and the user has no way to update to the new version X because updating requires using version X + 1. When version X + 1 is released, it could be that it is incompatible with the old version X and the user's lock is broken.

Recommended Mitigation Steps

Disallow updating existing template versions. Ensure that the versions that are deployed work and create a new version for each iteration.

[julien51]

We actually decided against this to keep some flexibility for the "owner" of the Unlock contact (DAO) to push a new version with no storage change at no risk for users.