search

hats-finance / Metrom-0xfdfc6d4ac5807d7460da20a3a1c0c84ef2b9c5a2

Smart contracts for the Metrom project.
GNU General Public License v3.0
0 stars 0 forks source link

Metrom.sol contract does not support updating campaigns as mentioned by natspec #58

Open hats-bug-reporter[bot] opened 5 months ago

hats-bug-reporter[bot] commented 5 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xb10f34b9550728c82540158a579d7d60268626fc58e64c7d5217f218e0004ec0 Severity: low

Description: Description

The @notice natspec tag at the top of the Metrom.sol contract here states:

It supports creation and update of campaigns as well as claims and recoveries of unassigned rewards for each one of them.

Attack Scenario

We can see that the contract supports creation of campaigns, claiming and recovering of rewards but it does not support updating campaigns anywhere as expected by the natspec.

Attachments

https://github.com/hats-finance/Metrom-0xfdfc6d4ac5807d7460da20a3a1c0c84ef2b9c5a2/blob/e9d6b1e594d5bb3694bfe68f73399156ebb5d3a4/src/Metrom.sol#L26

  1. Revised Code File (Optional)

If the intention is to allow updating campaigns, consider implementing support for it. But if not, consider removing the natspec comment.

luzzif commented 5 months ago

Note that campaigns are indeed updatable, in particular the "root" part of them, which is part of the mechanism through which rewards are distributed. That's why I marked this as invalid.