Function recoverSigner in L1Migrator returns an empty address if the signature is empty:
if (_sig.length == 0) {
return address(0);
}
This means you can bypass the signature verification by passing an empty signature and an empty address for _l1Addr. Then you can specify any _l2Addr and it will work.
Recommended Mitigation Steps
It should revert when the signature is empty or just let the ECDSA.recover reject it.
yondonfu
commented
2 years ago
Handle
pauliax
Vulnerability details
Impact
Function recoverSigner in L1Migrator returns an empty address if the signature is empty:
This means you can bypass the signature verification by passing an empty signature and an empty address for _l1Addr. Then you can specify any _l2Addr and it will work.
Recommended Mitigation Steps
It should revert when the signature is empty or just let the ECDSA.recover reject it.