Closed code423n4 closed 1 year ago
0xSorryNotSorry marked the issue as primary issue
Sidu28 marked the issue as sponsor disputed
Read the guidance on the OZ disclosure carefully; it does not apply to our usage. We are using nonces, not "marking the signature itself as used".
Nonce is read, used and updated here: https://github.com/Layr-Labs/eigenlayer-contracts/blob/66c660bd0d21713cba70dd2b74c773ae96e85243/src/contracts/core/StrategyManager.sol#L270-L273
GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/Layr-Labs/eigenlayer-contracts/blob/master/src/contracts/core/StrategyManager.sol#L293
Vulnerability details
Impact
Signature Replay attack possible on depositing Assets into strategies by staker.
Proof of Concept
In
depositIntoStrategyWithSignature
method, Openzeppelin's ECDSA Library is used to check that thesignature
is a valid ECDSA signature fromstaker
. In case, it is correct, the method goes on to deposit the assets into the strategy.Link to code
Here the version used of ECDSA is 4.7.0 which contains the Signature Malleability Issue that openzeppelin have acknowledged here. As per them:
Openzeppelin supported Signature Representations in ECDSA v4.7.0:
This version used if-else Condition as to determine the signature format. But there was a case where a caller may take a signature that has already been submitted, submit it again in a different format, and bypass this protection.
This is only an issue for the functions that take a single bytes argument, and not the functions that take
r, v, s
orr, vs
as separate arguments. But here, indepositIntoStrategyWithSignature
, it exactly uses single bytes signature argument making it a clear attack vector for Signature Malleability.Tools Used
VS Code
Recommended Mitigation Steps
Upgrade the OpenZeppelin library dependency to the latest safe version or atleast version (4.7.3) where this issue has been mitigated.
Assessed type
Library