Skip to content

Security/cancel hunt callback fix#572

Open
theFirstCodeManiac wants to merge 16 commits into
Samuel1-ona:mainfrom
theFirstCodeManiac:security/cancel-hunt-callback-fix
Open

Security/cancel hunt callback fix#572
theFirstCodeManiac wants to merge 16 commits into
Samuel1-ona:mainfrom
theFirstCodeManiac:security/cancel-hunt-callback-fix

Conversation

@theFirstCodeManiac

Copy link
Copy Markdown
Contributor

Closes #78

Pull Request

Summary

Fix a critical authorization vulnerability in cancel_hunt by requiring cryptographic authentication from the hunt creator before allowing cancellation.

Changes Made

  • Added require_auth() for the caller in cancel_hunt
  • Ensured only the authenticated hunt creator can cancel a hunt
  • Retained the existing creator ownership validation
  • Prevented address spoofing attacks against hunt cancellation

Problem

The previous implementation only compared the supplied caller address with hunt.creator without verifying that the caller actually controlled that address. This allowed an attacker to spoof the creator's address and cancel hunts they did not own.

Solution

The function now invokes require_auth() before performing ownership checks, ensuring the transaction is authorized by the creator's account.

Testing

  • Verified the hunt creator can successfully cancel a hunt after authentication
  • Verified unauthenticated callers cannot cancel a hunt
  • Verified spoofed creator addresses fail authorization
  • Confirmed existing cancellation behavior remains unchanged for legitimate users

Security Impact

This change closes a critical authorization bypass by enforcing cryptographic authentication, preventing unauthorized hunt cancellations through address spoofing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

cancel_hunt uses address comparison instead of require_auth()

1 participant