Closed studentofcoding closed 6 months ago
Hi there!
Based on the Smart Contract, I found 1 concern that might lead to unauthorized approvals and bypassing security measures on order.func, which allows an approval to be made without proper authorization checks on this part
https://github.com/ton-blockchain/multisig-contract-v2/blob/107ee13aa4cbabdc9ff0684b738dcd272c4211bc/contracts/order.func#L229C5-L238C6
To address this, we should add authorization checks before allowing approvals to proceed like:
which the PoC shows below
// Additional authorization checks (int threshold, cell signers, int signers_num, cell proposers) = get_multisig_data(); throw_unless(error::unauthorized_sign, threshold > 0); throw_unless(error::unauthorized_sign, threshold <= signers_num); throw_unless(error::unauthorized_sign, signers_num >= 1); approve(signer_index, sender_address, query_id);
Best Regards,
Telegram: @mousye_mousye
chatgpt, ban
tolya-yanot
commented
6 months ago
Hi there!
Based on the Smart Contract, I found 1 concern that might lead to unauthorized approvals and bypassing security measures on order.func, which allows an approval to be made without proper authorization checks on this part
https://github.com/ton-blockchain/multisig-contract-v2/blob/107ee13aa4cbabdc9ff0684b738dcd272c4211bc/contracts/order.func#L229C5-L238C6
To address this, we should add authorization checks before allowing approvals to proceed like:
which the PoC shows below
Best Regards,
Telegram: @mousye_mousye