M-03 Unmitigated #10
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
MR-M-03
satisfactory
satisfies C4 submission criteria; eligible for awards
unmitigated
Lines of code
https://github.com/AmbireTech/ambire-common/blob/f56e7dcaaa4ff8950b39fe6d5bced165d0f1c99f/contracts/AmbireAccount.sol#L131-L191
Vulnerability details
Impact
The mitigation updates the following
AmbireAccount.execute
function by addingnonce++
in thescheduled != 0 && !isCancellation
if
block within thesigMode == SIGMODE_RECOVER || sigMode == SIGMODE_CANCEL
if
block. However, this does not fix M-03: Recovery transaction can be replayed after a cancellation. After a recovery is scheduled, theAmbireAccount.execute
function can be called to cancel this scheduled recovery. For this cancellation,scheduled != 0 && !isCancellation
is false becausesigMode == SIGMODE_CANCEL
andisCancellation
are true. This means thatnonce++
, which would be executed in suchscheduled != 0 && !isCancellation
if
block, is not executed; in the counterpartelse
block,delete scheduledRecoveries[hash]
is executed in theisCancellation
if
block butnonce
still remains the same without being incremented whenreturn
is executed. Becausenonce
is not changed, although the scheduled recovery is removed, theAmbireAccount.execute
function can be called to replay the samecalls
andsignature
inputs, which were previously used to schedule the recovery that is removed, and schedule the same recovery again.Moreover, executing
nonce++
in thescheduled != 0 && !isCancellation
if
block within thesigMode == SIGMODE_RECOVER || sigMode == SIGMODE_CANCEL
if
block is redundant sincenonce = currentNonce + 1
would be executed after thescheduled != 0 && !isCancellation
andsigMode == SIGMODE_RECOVER || sigMode == SIGMODE_CANCEL
if
blocks finish executing. For example, ifnonce
is 1 at this moment, thenuint256 currentNonce = nonce
would setcurrentNonce
to 1,nonce++
would increasenonce
to 2, butnonce = currentNonce + 1
would setnonce
to 2 again.https://github.com/AmbireTech/ambire-common/blob/f56e7dcaaa4ff8950b39fe6d5bced165d0f1c99f/contracts/AmbireAccount.sol#L131-L191
Proof of Concept
The following steps can occur for the described scenario.
AmbireAccount.execute
function is called to schedule a recovery.AmbireAccount.execute
function is called to cancel the recovery scheduled in Step 1.nonce
is not incremented in Step 2, theAmbireAccount.execute
function can be called to replay the samecalls
andsignature
inputs used in Step 1 and schedule the same recovery again.Tools Used
VSCode
Recommended Mitigation Steps
nonce++
can be removed from thescheduled != 0 && !isCancellation
if
block within thesigMode == SIGMODE_RECOVER || sigMode == SIGMODE_CANCEL
if
block. Then, https://github.com/AmbireTech/ambire-common/blob/f56e7dcaaa4ff8950b39fe6d5bced165d0f1c99f/contracts/AmbireAccount.sol#L168-L171 can be updated to the following code.Assessed type
Other
The text was updated successfully, but these errors were encountered: