Open hats-bug-reporter[bot] opened 3 months ago
Per the sponsor's take on the matter with the trustworthyness of the module roles:
If the Claimer can provide false claims, that is OOS since he is trusted not to do so. But if he can bypass important checks, put in place to limit his ability, it should be valid since it is not part of his intended functionality
Your ability showcases how if the 2 roles turn malicious they can game the contract, but they do not use any functionality that they should not have, they use their trustfully granted ability to manage the contract's funds.
Thus I think OOS.
Github username: @0xfuje Twitter username: 0xfuje Submission hash (on-chain): 0x4406e1f858eeeca455d65a078cb1705f1ea398ac61a52567e611e0ccf573d11a Severity: medium
Description:
Impact
Loss of orchestrator system funds
Description
The verifier and claimant can collude to steal all valid bounties made by
BOUNTY_ISSUER_ROLE
. I believe the problem is that a single address with theVERIFIER_ROLE
is not sufficient to validate this flow of funds.Proof of Concept
20_000
USDC
addClaim()
verifyClaim()
Recommendation
Consider to have one of the alternative solutions for
VERIFIER_ROLE
:BOUNTY_ISSUER_ROLE
should always check if the bounty is correct beforeverifyClaim()
.VERIFIER_ROLE
and enforceonlyOrchestratorAdmin
on the access control ofverifyClaim()
since that's the highest form of access control in the system.