Problem
In TaskManager.completeTask, the self-review guard is bypassed when the caller is a project manager (_isPM check). A project manager can claim a task, submit work, and approve their own submission — minting participation tokens and receiving bounties without independent review.
Location
src/TaskManager.sol — completeTask function, around line 537-543
Impact
Medium — A malicious or compromised project manager can self-award tokens and bounties, though they are already a trusted role within the project scope.
Recommended Fix
Remove the _isPM exemption from the self-review check, requiring even PMs to have another reviewer complete their tasks. Alternatively, add a separate PM_SELF_REVIEW permission flag.
Severity
Medium — Backlog
Problem
In
TaskManager.completeTask, the self-review guard is bypassed when the caller is a project manager (_isPMcheck). A project manager can claim a task, submit work, and approve their own submission — minting participation tokens and receiving bounties without independent review.Location
src/TaskManager.sol—completeTaskfunction, around line 537-543Impact
Medium — A malicious or compromised project manager can self-award tokens and bounties, though they are already a trusted role within the project scope.
Recommended Fix
Remove the
_isPMexemption from the self-review check, requiring even PMs to have another reviewer complete their tasks. Alternatively, add a separatePM_SELF_REVIEWpermission flag.Severity
Medium — Backlog