search

hats-finance / SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7

1 stars 0 forks source link

Incorrect template id #46

Open hats-bug-reporter[bot] opened 1 month ago

hats-bug-reporter[bot] commented 1 month ago

Github username: @Jelev123 Twitter username: zhulien_zhelev Submission hash (on-chain): 0x8ad58a29f1ad07bf1420ad03e9ad1a0fcfb042deac63967a4d61b92714f12e6e Severity: low

Description: Description\ In createTemplate function when create the template the id is set to nextTemplateID which is 0 by default.

Impact

When the askQuestion and askQuestionWithMinBond is used it checks require(templates[template_id] > 0 but the templateId will be 0 at the first creation of template and these functions will revert.

  1. Proof of Concept (PoC) File

    
uint256 nextTemplateID = 0;

function createTemplate(string memory content) 
    stateAny()
public returns (uint256) {
    uint256 id = nextTemplateID; <---
    templates[id] = block.number;
    template_hashes[id] = keccak256(abi.encodePacked(content));
    emit LogNewTemplate(id, msg.sender, content);
    nextTemplateID = id + 1;
    return id; /// @audit does it valid
}

function createTemplateAndAskQuestion(
    string memory content, 
    string memory question, address arbitrator, uint32 timeout, uint32 opening_ts, uint256 nonce 
) 
    // stateNotCreated is enforced by the internal _askQuestion
public payable returns (bytes32) {
    uint256 template_id = createTemplate(content);
    return askQuestion(template_id, question, arbitrator, timeout, opening_ts, nonce);
}

function askQuestion(uint256 template_id, string memory question, address arbitrator, uint32 timeout, uint32 opening_ts, uint256 nonce) 
    // stateNotCreated is enforced by the internal _askQuestion
public payable returns (bytes32) {

    require(templates[template_id] > 0, "template must exist"); <--

    bytes32 content_hash = keccak256(abi.encodePacked(template_id, opening_ts, question));
    bytes32 question_id = keccak256(abi.encodePacked(content_hash, arbitrator, timeout, uint256(0), address(this), msg.sender, nonce));

    // We emit this event here because _askQuestion doesn't need to know the unhashed question. Other events are emitted by _askQuestion.
    emit LogNewQuestion(question_id, msg.sender, template_id, question, content_hash, arbitrator, timeout, opening_ts, nonce, block.timestamp);
    _askQuestion(question_id, content_hash, arbitrator, timeout, opening_ts, 0);

    return question_id;
}

**Recommendation**

Set the `nextTemplateId` to start from 1.
greenlucid commented 1 month ago

Check the reality.eth constructor, it automatically creates a bunch of templates. Also it's not comparing template_id, but the timestamp of it's creation. Finally, this would be a reality.eth vuln if anything, out of scope. ChatGPT should be banned

Jelev123 commented 1 month ago

I didnt use ChatGPT @greenlucid

clesaege commented 1 month ago

I don't see a vuln there, you do indeed need for a template to exist to ask a question. Moreover this is already deployed and we are able to ask questions.