search

hats-finance / HATs-Arbitration-Contracts-0x79a618f675857b45934ca1c413fd5f409cf89735

MIT License
0 stars 0 forks source link

The `_descriptionHash` parameter passed into the setVaultDescription function cannot be set #41

Open hats-bug-reporter[bot] opened 8 months ago

hats-bug-reporter[bot] commented 8 months ago

Github username: @ololade97 Submission hash (on-chain): 0xdb761c8b6418415462587b12cb43b50f568a4bf127b8649979c8a0f28ab931ae Severity: high

Description: Description\ The _descriptionHash parameter passed into the setVaultDescription function cannot be set. There is no variable passed to the function or anything else through which the _descriptionHash parameter can be set.

The function only emits an unset _descriptionHash parameter - nothing will be emitted by the way.

Attack Scenario\ The _descriptionHash parameter cannot be set in the setVaultDescription function.

Attachments https://github.com/hats-finance/hats-contracts/blob/0d6ebbde912bc272d9b310140d434ee2aacd36d3/contracts/HATVault.sol#L133-L135

  1. Proof of Concept (PoC) File

    function setVaultDescription(string calldata _descriptionHash) external onlyRegistryOwner { emit SetVaultDescription(_descriptionHash); }

  2. Revised Code File (Optional)

bahurum commented 8 months ago

There is no state variable corresponding to the description hash to be set. Note that also initialize() just emits the SetVaultDescription() event. The description is stored off-chain and the last SetVaultDescription() event is read to validate the description.