From 0a73215fd3ab32e93e71b8f494304e932b3909c1 Mon Sep 17 00:00:00 2001
From: shaito <shaito@defi.sucks>
Date: Fri, 26 Jul 2024 14:30:11 -0300
Subject: [PATCH] fix: wond-15

---
 .../extensions/AccountingExtension.sol        |  5 +++
 .../test/integration/ResponseProposal.t.sol   | 40 +++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/solidity/contracts/extensions/AccountingExtension.sol b/solidity/contracts/extensions/AccountingExtension.sol
index 87743529..0b291ab5 100644
--- a/solidity/contracts/extensions/AccountingExtension.sol
+++ b/solidity/contracts/extensions/AccountingExtension.sol
@@ -129,6 +129,11 @@ contract AccountingExtension is IAccountingExtension {
     if (!(_approvals[_bonder].contains(msg.sender) || _approvals[_bonder].contains(_sender))) {
       revert AccountingExtension_InsufficientAllowance();
     }
+
+    // if (!(_approvals[_bonder].contains(msg.sender) && (_bonder != _sender && _approvals[_bonder].contains(_sender)))) {
+    //   revert AccountingExtension_InsufficientAllowance();
+    // }
+
     if (balanceOf[_bonder][_token] < _amount) revert AccountingExtension_InsufficientFunds();
 
     bondedAmountOf[_bonder][_token][_requestId] += _amount;
diff --git a/solidity/test/integration/ResponseProposal.t.sol b/solidity/test/integration/ResponseProposal.t.sol
index 6798eb70..ecb26a09 100644
--- a/solidity/test/integration/ResponseProposal.t.sol
+++ b/solidity/test/integration/ResponseProposal.t.sol
@@ -130,4 +130,44 @@ contract Integration_ResponseProposal is IntegrationBase {
     vm.prank(proposer);
     oracle.proposeResponse(mockRequest, mockResponse);
   }
+
+  function test_proposeResponse_fromUnapprovedDisputeModule(bytes memory _responseBytes) public {
+    address _attacker = makeAddr('attacker');
+    mockRequest.nonce += 1;
+    mockRequest.requester = _attacker;
+    mockRequest.requestModuleData = abi.encode(
+      IHttpRequestModule.RequestParameters({
+        url: _expectedUrl,
+        body: _expectedBody,
+        method: _expectedMethod,
+        accountingExtension: _accountingExtension,
+        paymentToken: usdc,
+        paymentAmount: 0
+      })
+    );
+
+    uint256 _oldProposerBalance = _accountingExtension.balanceOf(proposer, usdc);
+    assertGt(_oldProposerBalance, 0);
+
+    vm.startPrank(_attacker);
+    // Attacker creates a request with their own address as the dispute module
+    mockRequest.disputeModule = _attacker;
+    _accountingExtension.approveModule(mockRequest.requestModule);
+    bytes32 _requestIdAttacker = oracle.createRequest(mockRequest, _ipfsHash);
+
+    // Attacker proposes a response from their address (the dispute module) and using another user as the proposer
+    mockResponse.response = _responseBytes;
+    mockResponse.proposer = proposer;
+    mockResponse.requestId = _requestIdAttacker;
+
+    oracle.proposeResponse(mockRequest, mockResponse);
+
+    vm.stopPrank();
+
+    uint256 _newProposerBalance = _accountingExtension.balanceOf(proposer, usdc);
+
+    // Proposer got their balance bonded when they didn't create the response
+    assertTrue(_expectedBondSize != 0);
+    assertEq(_oldProposerBalance, _newProposerBalance + _expectedBondSize);
+  }
 }