Signature bypass #20
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2022-05-cudos/blob/de39cf3cd1f1e1cf211819b06d4acf6a043acda0/solidity/contracts/Gravity.sol#L185
https://github.com/code-423n4/2022-05-cudos/blob/de39cf3cd1f1e1cf211819b06d4acf6a043acda0/solidity/contracts/Gravity.sol#L238-L240
Vulnerability details
Impact
It's possible to bypass
verifySig
andcheckValidatorSignatures
methods using empty signers.Proof of Concept
The method
ecrecover
returnsaddress(0)
when the signature is wrong, so if a user useaddress(0)
as a validator or_signer
the return will be true._signer == ecrecover(messageDigest, _v, _r, _s);
Also, the method checkValidatorSignatures never check that the validator is repeated inside the array, so if someone it's able to specify the validators, and it's able to sign with one valid key, if he repeat the same signature multiple times, it will be computed as a different one.
Recommended Mitigation Steps
check that
_signer
is not empty.The text was updated successfully, but these errors were encountered: