search

code-423n4 / 2021-06-realitycards-findings

3 stars 2 forks source link

Use ECDSA to verify signature #136

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

a_delamo

Vulnerability details

Impact

NativeMetaTransaction is using ecrecover directly in order to verify the signature. I would recommend using ECDSA.sol from openzeppelin as it does some more verifications in order to validate the signature is valid.

Being this such an important thing, any extra verification is needed.

function verify(
    address signer,
    MetaTransaction memory metaTx,
    bytes32 sigR,
    bytes32 sigS,
    uint8 sigV
  ) internal view returns (bool) {
    require(signer != address(0), "NativeMetaTransaction: INVALID_SIGNER");
    //FIXME: Recommend to use ECDSA
    return
      signer ==
      ecrecover(
        toTypedMessageHash(hashMetaTransaction(metaTx)),
        sigV,
        sigR,
        sigS
      );
  }
Splidge commented 3 years ago

Duplicate of #66

dmvt commented 3 years ago

duplicate of #66