EIP-712 typehash is incorrect for several functions in MetaTxLib
#141
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
M-07
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Typehash.sol#L33
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Typehash.sol#L23
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Typehash.sol#L25
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Typehash.sol#L15
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Typehash.sol#L21
Vulnerability details
Bug Description
In
LensHub.sol
, the second parameter ofsetProfileMetadataURIWithSig()
is declared asmetadataURI
:LensHub.sol#L119-L123
However, its EIP-712 typehash stores the parameter as
metadata
instead:Typehash.sol#L33
The
PostParams
struct (which is used forpostWithSig()
) hasaddress[] actionModules
andbytes[] actionModulesInitDatas
as its third and fourth fields:Types.sol#L178-L185
However, the third and fourth fields in its typehash are declared as
address collectModule
andbytes collectModuleInitData
instead:Typehash.sol#L23
This occurs for the
commentWithSig()
andquoteWithSig()
functions as well:Typehash.sol#L25
Typehash.sol#L15
The fourth and fifth fields in the
MirrorParams
struct (which is used formirrorWithSig()
) are declared asreferrerProfileIds
andreferrerPubIds
:Types.sol#L282-L289
However, its EIP-712 typehash declares these fields as
referrerProfileId
andreferrerPubId
instead:Typehash.sol#L21
Impact
Due to the use of incorrect typehashes, the signature verification in the functions listed above is not EIP-712 compliant.
Contracts or dapps/backends that use "correct" typehashes that match the parameters of these functions will end up generating different signatures, causing them to revert when called.
Recommended Mitigation
Amend the typehashes shown above to have matching parameters with their respective functions.
Assessed type
Error
The text was updated successfully, but these errors were encountered: