Can delegate burnt tokens to oneself

[code423n4]

Handle

cmichel

Vulnerability details

Failed signature verifications with ECDSA.recover return the zero address. The Ticket.delegateWithSignature function does not check that the provided _user is non-zero. This leads to the following attack which allows an attacker to delegate the zero address' balance (which is used as the burn address) to their own address.

POC

• attacker calls Ticket.delegateWithSignature(_user=0, _newDelegate=attacker, v,r,s=invalid signature)
• The signature is invalid which sets signer = 0 and the signer == _user check passes.
• Address 0 delegates its balance to the _user: _delegate(_user=0, _newDelegate=attacker) which calls _transferTwab(delegates[0], attacker, balanceOf(0))

Impact

As the actual balance of the zero address (balanceOf(address0)) is never increased in a _burn and neither is a transfer to the zero address allowed using the OZ ERC20 _transfer implementation, this does luckily not pose a risk.

Recommended Mitigation Steps

We still recommend actively prohibiting _user to be the zero address in the delegateWithSignature call in case the delegates[0] field is used for anything in the future.

[PierrickGT]

I've acknowledged the issue cause we won't make this change during this audit but when we will redeploy the Ticket contract.

[PierrickGT]

After doing some tests in the following PR, we realized that this exploit is not possible. It will throw an error on this line of the OpenZeppelin ECDSA util contract: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/cryptography/ECDSA.sol#L140 So for this reason, we disputed the issue. https://github.com/pooltogether/v4-core/pull/252