`TractorFacet.cancelBlueprint()` completely removes ability to execute defined set of actions in future
Summary
Blueprint is cancelled by setting type(uint256).max nonce so it can't be incremented during execution.
Problem is that blueprintHash value depends on publisher and defined set of actions.
Example of using Tractor acctoding to specification:
A Farmer creates a Blueprint for an Operator to Plant on their behalf anytime they have more than 100 Plantable Seeds and will pay the caller 1 Earned Bean.
Suppose a scenario:
User wants to allow operators to Plant and signs blueprint
For some reason he calls
cancelBlueprint(). He could changed his mind or different reason, doesn't matterNow he realizes it was right decision to allow operators to Plant. However that Blueprint has already been cancelled.
As a result he can't use blueprint with exact same parameters because it was cancelled forever. And this behaviour is not documented.
Vulnerability Details
Blueprint hash depends on blueprint parameters:
Blueprint is cancelled by setting maxNonce so it can't be incremented during execution:
Impact
Cancelled Blueprint is cancelled forever. And blueprintHash depends solely on blueprint parameters and publisher, i.e. defined set of actions. Moreover this behaviour is not documented which can result in users cancelling blueprint which they want to use in he future.
Tools Used
Manual review
Recommendations
Add salt to Blueprint struct to make hashes unique even for the same publisher and set of actions.
Lead Judging Commences
Informational/Gas
Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Cancelled Blueprint is cancelled forever due to nonce being set to max.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.