search

code-423n4 / 2021-08-gravitybridge-findings

1 stars 0 forks source link

lack of validation for the v and s value in recover() funciton #43

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

JMukesh

Vulnerability details

Impact

due to lack of checking of v and s value in recover() it become prone to signature malleability

Proof of Concept

check out the tryRecover() of ECDSA.sol

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/aefcb3e8aa4ee8da8e2b7022ffe4dcb57fbb0fdf/contracts/utils/cryptography/ECDSA.sol#L147

Tools Used

manual reveiw

Recommended Mitigation Steps

add necessary check to make the signature unique

jkilpatr commented 2 years ago

Duplicate of #61, #43

albertchon commented 2 years ago

Duplicate of https://github.com/code-423n4/2021-08-gravitybridge-findings/issues/61