[This issue is possibly duplicate with a previous issue named "Potential replay attack"]
In QuickAccManager.sol#sendTxns() and QuickAccManager.sol#sendTransfer(), address(identity) is not included in the txHash, makes it possible to replay the transaction on another Identity when the same pair of keys controls multiple Identity.
Alice set up 2 Identity proxy contracts and top up with 1000 USDC each;
Alice send 1000 USDC to Bob with QuickAccManager.sol#sendTransfer() or QuickAccManager.sol#sendTxns() from Identity 1;
Bob or the attacker can replay the transaction above with the same parameters except the first parameter changed to Identity 2, and Bob will receive another 1000 USDC from Identity 2.
Handle
WatchPug
Vulnerability details
[This issue is possibly duplicate with a previous issue named "Potential replay attack"]
In
QuickAccManager.sol#sendTxns()
andQuickAccManager.sol#sendTransfer()
,address(identity)
is not included in the txHash, makes it possible to replay the transaction on anotherIdentity
when the same pair of keys controls multipleIdentity
.https://github.com/code-423n4/2021-10-ambire/blob/bc01af4df3f70d1629c4e22a72c19e6a814db70d/contracts/wallet/QuickAccManager.sol#L131-L147
https://github.com/code-423n4/2021-10-ambire/blob/bc01af4df3f70d1629c4e22a72c19e6a814db70d/contracts/wallet/QuickAccManager.sol#L156-L177
PoC
Identity
proxy contracts and top up with1000 USDC
each;1000 USDC
to Bob withQuickAccManager.sol#sendTransfer()
orQuickAccManager.sol#sendTxns()
fromIdentity 1
;Identity 2
, and Bob will receive another1000 USDC
fromIdentity 2
.Recommendation
Consider including
address(identity)
in txHash.