Closed code423n4 closed 1 year ago
gzeon-c4 marked the issue as primary issue
lack of proof: "The possibility of replacement of paymasterId value as it is not signed by the verifyingSigner entity."
warden has missed other cases of signature replay with this.
livingrockrises marked the issue as disagree with severity
livingrockrises marked the issue as sponsor confirmed
gzeon-c4 marked the issue as unsatisfactory: Insufficient proof
gzeon-c4 changed the severity to QA (Quality Assurance)
gzeon-c4 marked the issue as grade-b
Hey @gzeon-c4 @livingrockrises! With all due respect, I do not agree with the decision.
The report describes the signature replayability. Specifically, the validatePaymasterUserOp
function checks the signature of the verifyingSigner
. The hash
preimage does not contain the paymasterId
and chainId
values, which leads to the possibility of reusing such a signature with these values changed.
Regarding your previous message:
lack of proof: "The possibility of replacement of paymasterId value as it is not signed by the verifyingSigner entity."
there is the following part of the report:
The paymasterId value is not checked to be signed by the verifyingSigner, as it is not part of the preimage of the hash value. Also, there are no additional checks on this value anywhere else.
hmm what I mentioned in issue #466 happy to discuss further
gzeon-c4 marked the issue as grade-c
Marking as grade-c since the whole issue is upgraded to M in #542.
@gzeon-c4 I am a bit confused. Does it mean that this report is evaluated as M finding?
@gzeon-c4 I am a bit confused. Does it mean that this report is evaluated as M finding?
Yes, the system don't let me upgrade this to M directly, instead I have to create #542 as a placeholder.
Lines of code
https://github.com/code-423n4/2023-01-biconomy/blob/5df2e8f8c0fd3393b9ecdad9ef356955f07fbbdd/scw-contracts/contracts/smart-contract-wallet/paymasters/verifying/singleton/VerifyingSingletonPaymaster.sol#L77 https://github.com/code-423n4/2023-01-biconomy/blob/5df2e8f8c0fd3393b9ecdad9ef356955f07fbbdd/scw-contracts/contracts/smart-contract-wallet/paymasters/verifying/singleton/VerifyingSingletonPaymaster.sol#L109
Vulnerability details
Description
In the
validatePaymasterUserOp
function from theVerifyingSingletonPaymaster
contract there is the following check of the signature provided by theverifyingSigner
:The
paymasterId
value is not checked to be signed by theverifyingSigner
, as it is not part of the preimage of thehash
value. Also, there are no additional checks on this value anywhere else.The
chainId
value is not checked to be signed by theverifyingSigner
, as it is also not part of the preimage of thehash
value. All in all, signature provided by theverifyingSigner
is vulnarable to replay attack on the different chains. For sure, it can be used only for the UserOperation with the same parameters that are part of the hash preimage in thegetHash
function.Impact
The possibility of replacement of
paymasterId
value as it is not signed by theverifyingSigner
entity.The possibility of a cross-chain replay attack on the provided
verifyingSigner
s' signature aschainId
is not a part of the data that it is signing.Recommended Mitigation Steps
Add the
paymasterId
andchainId
to the preimage of the hash that should be signed by theverifyingSigner
: