search

code-423n4 / 2023-01-rabbithole-findings

1 stars 2 forks source link

`hash` and `signature_` can be obtained from the mempool when `recoverSigner` is executed #639

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L210-L213

Vulnerability details

In the QuestFactory.sol contract, an attacker can monitor the mem pool and obtain the values of hash and signature_ which the other user has provided to the function

Proof of Concept

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L210-L213

210-213: function recoverSigner(bytes32 hash_, bytes memory signature_) public pure returns (address) { 
        bytes32 messageDigest = keccak256(abi.encodePacked('\x19Ethereum Signed Message:\n32', hash_));
        return ECDSAUpgradeable.recover(messageDigest, signature_);
    }

Recommended Mitigation Steps

The simplest way to mitigate this is to use flashbots or some other means of submitting the values to recoverSigner call that skips the mempool.

c4-judge commented 1 year ago

kirk-baird marked the issue as unsatisfactory: Invalid