`_bundle.chainId` must be validated on campaign creation in `createCampaigns()`

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x46de6f36814102b66249d60cdba86a0cf9b5845d6f37ceadd0e52bc7be26ab34 Severity: medium

Description: Description\ - SUMMARY -

Given that the contracts will be deployed on multiple chains depending on the demand, it is important that the chainIds are validated.

- DETAILS -

Looking at the code below, _bundle.chainId is not validated which may cause wrong information to slip in the system and event emissions.

• createCampaigns() @ L160-L189

  function createCampaigns(CreateBundle[] calldata _bundles) external {
      uint32 _fee = _resolvedFee();
      uint32 _minimumCampaignDuration = minimumCampaignDuration;
      uint32 _maximumCampaignDuration = maximumCampaignDuration;
  
      for (uint256 _i = 0; _i < _bundles.length; _i++) {
          CreateBundle memory _bundle = _bundles[_i];
  
          if (_bundle.pool == address(0)) revert InvalidPool();
          if (_bundle.from <= block.timestamp) revert InvalidFrom();
          if (
              _bundle.to < _bundle.from + _minimumCampaignDuration
                  || _bundle.to - _bundle.from > _maximumCampaignDuration
          ) revert InvalidTo();
          if (
              _bundle.rewardTokens.length == 0 || _bundle.rewardTokens.length > MAX_REWARDS_PER_CAMPAIGN
                  || _bundle.rewardTokens.length != _bundle.rewardAmounts.length
          ) revert InvalidRewards();
  
          bytes32 _id = _campaignId(_bundle);
          Campaign storage campaign = campaigns[_id];
          if (campaign.from != 0) revert CampaignAlreadyExists();
  
          campaign.owner = msg.sender;
  @>      campaign.chainId = _bundle.chainId; // @audit no validation
          campaign.pool = _bundle.pool;
          campaign.from = _bundle.from;
          campaign.to = _bundle.to;
          campaign.specification = _bundle.specification;
          campaign.rewards = _bundle.rewardTokens;
          ...
      }
  }

• createCampaigns() @ L218-L229

  emit CreateCampaign(
      _id,
      msg.sender,
  @>  _bundle.chainId, // @audit may log a wrong chainId
      _bundle.pool,
      _bundle.from,
      _bundle.to,
      _bundle.specification,
      _bundle.rewardTokens,
      _rewardAmountsMinusFees,
      _feeAmounts
  );      

- IMPACT -

When the wrong chainId slips in the system and event emitted:

1. May cause revert if the reward tokens are sent mistakenly to a wrong chain.
2. May cause loss of funds if the reward tokens are sent mistakenly to a wrong chain when the recipient account is from a centralized exchange.
3. Reputational risk if the users realize that the wrong chainId is being used.

- MITIGATION -

Call block.chainid and compare it with _bundle.chainId. Revert the function if they are not equal.

Attachments

1. Proof of Concept (PoC) File n/a

2. Revised Code File (Optional) n/a

[luzzif]

The chainId in this context just refers to the chain id where the targeted pool lives, not the chain id of the Metrom campaign being created. As such, this data along with the pool address is indexed by the backend and validated there.

[0xgreywolf]

Thank you for the explanation.