Direct usage of `ecrecover` allows signature malleability

[code423n4]

Handle

shw

Vulnerability details

Impact

The verifySig function of Gravity calls the Solidity ecrecover function directly to verify the given signatures. However, the ecrecover EVM opcode allows malleable (non-unique) signatures and thus is susceptible to replay attacks.

Although a replay attack seems not possible here since the nonce is increased each time, ensuring the signatures are not malleable is considered a best practice (and so is checking _signer != address(0), where address(0) means an invalid signature).

Proof of Concept

Referenced code: Gravity.sol#L153

SWC-117: Signature Malleability SWC-121: Missing Protection against Signature Replay Attacks

Recommended Mitigation Steps

Use the recover function from OpenZeppelin's ECDSA library for signature verification.

[jkilpatr]

Best practicies advice may belong in category zero. But in general I agree with the advice here and that this is valid feedback despite lacking a specific attack vector.

semi-duplicate of #43, #28 which mention the validation issue. #22 also mentions malleability.

[albertchon]

Marking https://github.com/code-423n4/2021-08-gravitybridge-findings/issues/61 as primary for the signature malleability issue.

Duplicates:

• https://github.com/code-423n4/2021-08-gravitybridge-findings/issues/21
• https://github.com/code-423n4/2021-08-gravitybridge-findings/issues/22
• https://github.com/code-423n4/2021-08-gravitybridge-findings/issues/43
• https://github.com/code-423n4/2021-08-gravitybridge-findings/issues/28

[loudoguno]

reopening as per judges assessment as "primary issue" on findings sheet