Platform: Code4rena
Start Date: 01/08/2022
Pot Size: $50,000 USDC
Total HM: 26
Participants: 133
Period: 5 days
Judge: Jack the Pug
Total Solo HM: 6
Id: 151
League: ETH
Rank: 42/133
Findings: 1
Award: $154.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
154.2761 USDC - $154.28
The team had mentioned in order to publish a project, the project must at least have one task which means a budget > 0. However, the function publish project does not check that; a member can post a project without any task.
THis is where they mentioned that:
Builder publishes his project to the community. It requires signing data that includes community ID, APR, publishing fee and nonce . Both builder and community owner have to sign the data. The signatures and data are used to call publishProject(bytes _data, bytes _signature) . Note that you cannot submit a project with no total budget. Therefore it requires at least one task with a budget > 0.
The function for publishProject
https://github.com/code-423n4/2022-08-rigor/blob/b17b2a11d04289f9e927c71703b42771dd7b86a4/contracts/Community.sol#L206
It must check if the project has a task before publishing the project else it must revert else a user can create a project and directly added to the community which is against what the team described
#0 - zgorizzo69
2022-08-11T07:57:21Z
duplicate of #16