fix: wond-15

defi-wonderland · Jul 26, 2024 · 0a73215 · 0a73215
1 parent fa9f37e
commit 0a73215
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/solidity/contracts/extensions/AccountingExtension.sol b/solidity/contracts/extensions/AccountingExtension.sol
@@ -129,6 +129,11 @@ contract AccountingExtension is IAccountingExtension {
     if (!(_approvals[_bonder].contains(msg.sender) || _approvals[_bonder].contains(_sender))) {
       revert AccountingExtension_InsufficientAllowance();
     }
+
+    // if (!(_approvals[_bonder].contains(msg.sender) && (_bonder != _sender && _approvals[_bonder].contains(_sender)))) {
+    //   revert AccountingExtension_InsufficientAllowance();
+    // }
+
     if (balanceOf[_bonder][_token] < _amount) revert AccountingExtension_InsufficientFunds();
 
     bondedAmountOf[_bonder][_token][_requestId] += _amount;

diff --git a/solidity/test/integration/ResponseProposal.t.sol b/solidity/test/integration/ResponseProposal.t.sol
@@ -130,4 +130,44 @@ contract Integration_ResponseProposal is IntegrationBase {
     vm.prank(proposer);
     oracle.proposeResponse(mockRequest, mockResponse);
   }
+
+  function test_proposeResponse_fromUnapprovedDisputeModule(bytes memory _responseBytes) public {
+    address _attacker = makeAddr('attacker');
+    mockRequest.nonce += 1;
+    mockRequest.requester = _attacker;
+    mockRequest.requestModuleData = abi.encode(
+      IHttpRequestModule.RequestParameters({
+        url: _expectedUrl,
+        body: _expectedBody,
+        method: _expectedMethod,
+        accountingExtension: _accountingExtension,
+        paymentToken: usdc,
+        paymentAmount: 0
+      })
+    );
+
+    uint256 _oldProposerBalance = _accountingExtension.balanceOf(proposer, usdc);
+    assertGt(_oldProposerBalance, 0);
+
+    vm.startPrank(_attacker);
+    // Attacker creates a request with their own address as the dispute module
+    mockRequest.disputeModule = _attacker;
+    _accountingExtension.approveModule(mockRequest.requestModule);
+    bytes32 _requestIdAttacker = oracle.createRequest(mockRequest, _ipfsHash);
+
+    // Attacker proposes a response from their address (the dispute module) and using another user as the proposer
+    mockResponse.response = _responseBytes;
+    mockResponse.proposer = proposer;
+    mockResponse.requestId = _requestIdAttacker;
+
+    oracle.proposeResponse(mockRequest, mockResponse);
+
+    vm.stopPrank();
+
+    uint256 _newProposerBalance = _accountingExtension.balanceOf(proposer, usdc);
+
+    // Proposer got their balance bonded when they didn't create the response
+    assertTrue(_expectedBondSize != 0);
+    assertEq(_oldProposerBalance, _newProposerBalance + _expectedBondSize);
+  }
 }