No validation on _descriptionHash. Could approve a claim with malformed data
Opened this issue · 1 comments
hats-bug-reporter commented
Github username: @ololade97
Submission hash (on-chain): 0xcf7c99704584dad86c967a69c95ec1e90a4e2aa502d0a03f2f2d501634f238bd
Severity: medium
Description:
Descritpion
The _descriptionHash parameter in the approveSubmitClaimRequest function is used to provide a description of the claim being submitted.
The code currently does not validate or check the _descriptionHash value in any way before passing it to the _vault.submitClaim call.
Without validating the _descriptionHash, the contract has no way to ensure it is actually receiving a valid claim description.
Attack Scenario
The _descriptionHash could be empty or a malformed hash that does not actually describe the claim
jellegerbrandy commented
no attack is described in this issue.