Closed code423n4 closed 2 years ago
Thank you
True, the orders would be valid on both chains instead of just mainnet / 1. I do think there's an argument for Medium risk here, but the impact here doesn't sufficiently explore that to make the potential repercussions clear. Lowering risk and merging with the warden's QA report https://github.com/code-423n4/2022-06-infinity-findings/issues/285
Lines of code
https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/core/InfinityExchange.sol#L104-L117
Vulnerability details
Impact
The choice of
DOMAIN_SEPARATOR
may cause double spending in case a network is forked.Proof of Concept
The
DOMAIN_SEPARATOR
is an immutable value for whichblock.chainid
is determined at construction time. But if a fork occurs later and the chain id changes, this change won't impact theDOMAIN_SEPARATOR
. Thus, after the fork, an attacker may execute trades another time, despite this is another chain.Tools Used
Manual analysis
Recommended Mitigation Steps
Add an immutable variable
chainId
and set it toblock.chainid
during contract construction. Every timeDOMAIN_SEPARATOR
is needed, check ifchainId == block.chainid
and if yes, use the immutableDOMAIN_SEPARATOR
, else derive theDOMAIN_SEPARATOR
again.