search

sherlock-audit / 2023-02-hats-judging

2 stars 0 forks source link

GimelSec - Bad admins can front-run mintHat() #103

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

GimelSec

medium

Bad admins can front-run mintHat()

Summary

If an admin wants to mint a hat for someone, the admin should call createHat() first and then call mintHat() to deliver the hat. Since mintHat() can be called by all the admins of the minted hat, any admin can front-run mintHat().

Vulnerability Detail

mintHat() can be called by any admin of the minted hat. And If an admin wants to mint a hat for someone, the admin must call createHat() first. A bad admin can block other admins from minting hats to the recipients by front-running mintHat(). https://github.com/Hats-Protocol/hats-protocol/blob/fafcfdf046c0369c1f9e077eacd94a328f9d7af0/src/Hats.sol#L241

    function mintHat(uint256 _hatId, address _wearer) public returns (bool success) {
        …

        // only the wearer of a hat's admin Hat can mint it
        _checkAdmin(_hatId);

        …
    }

Impact

A bad admin can block other admins from minting hats to the recipients.

Code Snippet

https://github.com/Hats-Protocol/hats-protocol/blob/fafcfdf046c0369c1f9e077eacd94a328f9d7af0/src/Hats.sol#L241 https://github.com/Hats-Protocol/hats-protocol/blob/fafcfdf046c0369c1f9e077eacd94a328f9d7af0/src/Hats.sol#L520 https://github.com/Hats-Protocol/hats-protocol/blob/fafcfdf046c0369c1f9e077eacd94a328f9d7af0/src/Hats.sol#L831

Tool used

Manual Review

Recommendation

Add an optional argument in createHat() so that the admins can decide if they want to mint the created hat on their own.

spengrah commented 1 year ago

This is expected behavior. By design, higher level admins delegate to lower level admins, which means they should have authority over lower level admins. Future versions of the protocol may introduce more configuration options that establish additional models, but this simplicity is intentional for v1.