-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ComposableSecurity - Lack of protection from signature malleability #429
Comments
Escalate This is not duplicate of #273. The attack vector, affected code snippet, recommendation and impact are different. This issue shows a signature malleability problem, not the lack of action parameter in the digest. This issue, together with #10, #53, #130, #279, #155, #168, #178 and #429, should not be duplicate of #273, but a separate one. |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Agree with the escalation, planning to accept and duplicate with #279 |
Result: |
Escalations have been resolved successfully! Escalation status:
|
ComposableSecurity
high
Lack of protection from signature malleability
Summary
The
TitlesGraph
contract is incorrectly protected from signature replay-attack via signature malleability because it uses signature as the key inisUsed
mapping andSignatureCheckerLib
library fromsolady
repository.Vulnerability Detail
The
TitlesGraph
contract uses a mappingisUsed
to protect from replay attack on functions that accept signature parameter, which are:acknowledgeEdge(bytes32 edgeId_, bytes calldata data_, bytes calldata signature_)
andunacknowledgeEdge(bytes32 edgeId_, bytes calldata data_, bytes calldata signature_)
.The problem arises from two different issues, that must occur simultaneously.
First issue is that the
signature
is used as the mapping key (instead of thedigest
, potentially with some nonce) what could make it vulnerable to replay attack due to signature malleability.That would however not be possible without the second issue, which is using the
SignatureCheckerLib
library fromsolady
repository without detecting signature malleability. The library does not check for signature malleability itself, as stated in docs:https://github.com/Vectorized/solady/blob/91d5f64b39a4d20a3ce1b5e985103b8ea4dc1cfc/src/utils/SignatureCheckerLib.sol#L19-L23
As the result, anyone can take any signature from past transactions of a particular user, generate it's different format (without any external information) and execute the opposite operation on behalf of the user.
PoC
Notice I had to add
solidity-bytes-utils
package and I made the_hashTypedData
function public to make it easier to get the correct digest.Impact
Anyone is able to acknowledge or unacknowledge the edge being acknowledged by the creator of the
to
node (using signature).Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L40-L50
Tool used
Manual Review
Recommendation
Use digest (potentially with additional nonce if the same function parameters can be reused) instead of the signature as the mapping key.
Note that the additional nonce, if you plan to use it, must be included in the signed digest.
Duplicate of #279
The text was updated successfully, but these errors were encountered: