You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The BATCH operation was introduced in v14, with the intent to streamline upgrade operations by packing some other operations together (e.g. transferring domains, and tracking tokens).
However, v15 introduced some operations requiring extra security (hence more authentications) without excluding them from a BATCH operation. This enables attackers to wrap these operations inside a BATCH operation, thereby executing these operations without doing more authentications as they would normally require.
To fix this, more verifications should be added to both the proof verification mechanism and the batch execution logic. Some operations should not be permitted inside BATCH, including BATCH itself.
The text was updated successfully, but these errors were encountered:
The BATCH operation was introduced in v14, with the intent to streamline upgrade operations by packing some other operations together (e.g. transferring domains, and tracking tokens).
However, v15 introduced some operations requiring extra security (hence more authentications) without excluding them from a BATCH operation. This enables attackers to wrap these operations inside a BATCH operation, thereby executing these operations without doing more authentications as they would normally require.
To fix this, more verifications should be added to both the proof verification mechanism and the batch execution logic. Some operations should not be permitted inside BATCH, including BATCH itself.
The text was updated successfully, but these errors were encountered: