Open hats-bug-reporter[bot] opened 1 month ago
consensusTakeReceipt()
as an internal function is used in consensusTakeReceiptDelegate()
, consensusTakeReceiptUndelegateStart()
and consensusTakeReceiptUndelegateDone()
functions so the receiptId
being used as input by these functions would be the starting from nextReceiptId++
i.e ( nextReceiptId = 4294967296 onwards). No fake receipientID can be passed in either of above functions. Therefore, i believe this issue is invalid.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x7e8a9483f162fa303cb381cf9da4b303d829648091dfb130ea24a6f065d74114 Severity: medium
Description:
Description
Inside function
consensusTakeReceipt
the following check is ensured:This check is made to ensure that no incorrect
receiptId's
are trying to be retrieved whenever calling, for example,takeReceiptDelegate
.The issues arises however, since
receiptId
starts incrementing fromnextReceiptId
which is set to429467296
instead of 0, essentially changing the starting point to a self set numberThis is used whenever a new
receiptId
is issued, for example, insidedelegate
but since the check inside
consensusTakeReceipt
uses 0 it will incorrectly allow anyreceiptId's
above 0 which in fact can never be valid since thereceiptId
starts incrementing fromnextReceiptId
This could end up in allowing fake receipts to be let through
Recommendation
Change the
receiptId
check insideconsensusTakeReceipt
to correctly disallow incorrect receiptId's