Closed code423n4 closed 2 years ago
JMukesh
due to lack of checking of v and s value in recover() it become prone to signature malleability
check out the tryRecover() of ECDSA.sol
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/aefcb3e8aa4ee8da8e2b7022ffe4dcb57fbb0fdf/contracts/utils/cryptography/ECDSA.sol#L147
manual reveiw
add necessary check to make the signature unique
Duplicate of #61, #43
Duplicate of https://github.com/code-423n4/2021-08-gravitybridge-findings/issues/61
Handle
JMukesh
Vulnerability details
Impact
due to lack of checking of v and s value in recover() it become prone to signature malleability
Proof of Concept
check out the tryRecover() of ECDSA.sol
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/aefcb3e8aa4ee8da8e2b7022ffe4dcb57fbb0fdf/contracts/utils/cryptography/ECDSA.sol#L147
Tools Used
manual reveiw
Recommended Mitigation Steps
add necessary check to make the signature unique