search

code-423n4 / 2022-10-thegraph-findings

0 stars 0 forks source link

Signature malleability not protected against #239

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-10-thegraph/blob/main/contracts/l2/token/GraphTokenUpgradeable.sol#L6

Vulnerability details

Vulnerability details

OpenZeppelin has a vulnerability in versions lower than 4.7.3, which can be exploited by an attacker. The project uses a vulnerable version ECDSA signature malleability

package.json#L27-L28

package.json#L27-L28 : 

"@openzeppelin/contracts": "^3.4.1",
"@openzeppelin/contracts-upgradeable": "3.4.2",

Recommended Mitigation Steps

Consider ensuring you are using at least the patched version of @openzeppelin/contracts 4.7.3

trust1995 commented 1 year ago

Warden did not demonstrate an impact of signature malleability possibility. Indeed it seems like the signature is not used in a vulnerable way.

0xean commented 1 year ago

closing as invalid