signatures are accepted for zero address

[code423n4]

Handle

0xito

Vulnerability details

Impact

if verifysig is called with the zero address as the _signer any signature will be valid. this is because ecrecover does not revert on wrong signatures but returns the zero address instead.

Proof of Concept

Tools Used

Recommended Mitigation Steps

revert if the return value of ecrecover is the zero address. use openzeppelin's ecdsa.sol for further checks on signature verifications.

[jkilpatr]

duplicate of #43,#61,#28

[albertchon]

Duplicate of https://github.com/code-423n4/2021-08-gravitybridge-findings/issues/61