Wrong DOMAIN_SEPARATOR
definition
#173
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L199-L210
Vulnerability details
Impact
Broke the EIP 2612
Proof of Concept
Some contract or dapp/backend could building the
DOMAIN_SEPARATOR
consulting the "rigth"name
to theBathToken
and build the signature with "rigth"digest
messageWhen these try to use the
permit
function (L713), with the "rigth" signature(v, r, s), thepermit
function will revert with the message"bathToken: INVALID_SIGNATURE"
because the expectDOMAIN_SEPARATOR
in theBathToken.sol
contract was built with "wrong"name
Recommended Mitigation Steps
In the
initialize
function(L181) move thename
definition before theDOMAIN_SEPARATOR
definitionThe text was updated successfully, but these errors were encountered: