Closed sherlock-admin3 closed 1 week ago
This misunderstands how records work in Aleo. Records can only be spent by the owner by default as they are encrypted and signature verification happens as part of the proof generation.
It's not possible to spend a record where record.owner
!= self.signer
joicygiore
Medium
credits.record::join
lacksowner
validation, which may result in merging records with different ownersSummary
credits.record::join
lacksowner
validation, which may result in merging records with different ownersVulnerability Detail
credits.record::join
lacks the checkcredits.record.owner
, merging records with different owners may lead to data inconsistency or logic errors.As a comparison, we can refer to the relevant methods in
large_functions.aleo
, which will check whethercredits.record.owner
is equalImpact
credits.record::join
lacksowner
validation, which may result in merging records with different ownersCode Snippet
https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/program/src/resources/credits.aleo#L930-L943 https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/process/src/resources/large_functions.aleo#L5-L13
Tool used
Manual Review
Recommendation
Add
owner
check