Signature Malleability in Verification #157

c4-bot-1 · 2024-02-13T06:33:52Z

Lines of code

https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/FighterFarm.sol#L206
https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/Verification.sol#L40

Vulnerability details

Impact

As highlighted in the EIP 865’s discussion, its current full implementation is affected by a signature malleability issue, steaming from the fact that in the current EIP, the recover function:

Allows both values 0/1 and 27/28 for v
Allows both lower and upper s values

ethereum/EIPs#865 (comment)

Signature malleability poses a security risk in systems that use these kinds of signatures as unique identifiers; as in the Verification.sol contract it uses ecrecover to recover the signer, this allows replay attacks, and this verification.verify is used in the FighterFarm.sol:
https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/FighterFarm.sol#L206

https://swcregistry.io/docs/SWC-117/

Proof of Concept

    function verify(
        bytes32 msgHash, 
        bytes memory signature,
        address signer
    ) 
        public 
        pure 
        returns(bool) 
    {
        require(signature.length == 65, "invalid signature length");

        bytes32 r;
        bytes32 s;
        uint8 v;

        assembly {
            /*
            First 32 bytes stores the length of the signature

            add(sig, 32) = pointer of sig + 32
            effectively, skips first 32 bytes of signature

            mload(p) loads next 32 bytes starting at the memory address p into memory
            */

            // first 32 bytes, after the length prefix
            r := mload(add(signature, 32))
            // second 32 bytes
            s := mload(add(signature, 64))
            // final byte (first byte of the next 32 bytes)
            v := byte(0, mload(add(signature, 96)))
        }
        bytes memory prefix = "\x19Ethereum Signed Message:\n32";
        bytes32 prefixedHash = keccak256(abi.encodePacked(prefix, msgHash));
@>      return ecrecover(prefixedHash, v, r, s) == signer;
    }

Tools Used

Manual review.

Recommended Mitigation Steps

Consider using OpenZeppelin’s ECDSA library: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/cryptography/ECDSA.sol

Assessed type

Other

The text was updated successfully, but these errors were encountered:

c4-bot-2 · 2024-02-15T13:50:54Z

Withdrawn by tpiliposian

c4-bot-1 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Feb 13, 2024

c4-bot-2 added a commit that referenced this issue Feb 13, 2024

tpiliposian issue #157

e6affda

code4rena-admin added the edited-by-warden label Feb 13, 2024

c4-bot-2 closed this as completed Feb 15, 2024

c4-bot-2 added invalid This doesn't seem right withdrawn by warden Special case: warden has withdrawn this submission and it can be ignored and removed bug Something isn't working edited-by-warden labels Feb 15, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Signature Malleability in Verification #157

Signature Malleability in Verification #157

c4-bot-1 commented Feb 13, 2024 •

edited by c4-bot-3

Loading

c4-bot-2 commented Feb 15, 2024

Signature Malleability in Verification #157

Signature Malleability in Verification #157

Comments

c4-bot-1 commented Feb 13, 2024 • edited by c4-bot-3 Loading

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

c4-bot-2 commented Feb 15, 2024

c4-bot-1 commented Feb 13, 2024 •

edited by c4-bot-3

Loading