Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lack of validation for the v and s value in recover() funciton #43

Closed
code423n4 opened this issue Sep 8, 2021 · 2 comments
Closed

lack of validation for the v and s value in recover() funciton #43

code423n4 opened this issue Sep 8, 2021 · 2 comments
Labels
2 (Med Risk) bug Something isn't working sponsor confirmed

Comments

@code423n4
Copy link
Contributor

Handle

JMukesh

Vulnerability details

Impact

due to lack of checking of v and s value in recover() it become prone to signature malleability

Proof of Concept

check out the tryRecover() of ECDSA.sol

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/aefcb3e8aa4ee8da8e2b7022ffe4dcb57fbb0fdf/contracts/utils/cryptography/ECDSA.sol#L147

Tools Used

manual reveiw

Recommended Mitigation Steps

add necessary check to make the signature unique
@code423n4 code423n4 added 2 (Med Risk) bug Something isn't working labels Sep 8, 2021
code423n4 added a commit that referenced this issue Sep 8, 2021
@code423n4
JMukesh issue #43
2c35895
@jkilpatr
Copy link
Collaborator

jkilpatr commented Sep 10, 2021
edited
Loading

Duplicate of #61, #43

@jkilpatr jkilpatr marked this as a duplicate of #61 Sep 10, 2021
This was referenced Sep 10, 2021
Open
Closed
Closed
@albertchon
Copy link
Collaborator

Duplicate of #61

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) bug Something isn't working sponsor confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jkilpatr @albertchon @code423n4