Direct usage of `ecrecover` allows signature malleability

[rotcivegaf]

Affected smart contract

• https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/Governance/Comp.sol#L152-L170
• https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/Governance/GovernorAlpha.sol#L253-L260
• https://github.com/LodestarFinance/lodestar-protocol/blob/cfca1ae275d023a02198798bbcb24b2a1f646776/contracts/Governance/GovernorBravoDelegate.sol#L250-L261

Description

This functions use ecrecover function directly to verify the given signature. However, the ecrecover EVM opcode allows for malleable (non-unique) signatures and thus is susceptible to replay attacks. Look in: ECDSA tryRecover checks

Attack scenario

In case of function delegateBySig on Comp contract the nonce change every time removing the possible replay attack But in castVoteBySig on GovernorAlpha and castVoteBySig on GovernorBravoDelegate have the possibility of the replay attack

Recommendation

Use ECDSA library of OpenZeppelin

[maarcweiss]

False, no signature malleability in the contract due to it's nonce. It is a fork from compound also