Closed code423n4 closed 1 year ago
This will break things as you can't execute the recovery successfully: once the nonce has been incremented, the same hash
cannot be matched.
As for this DOS, it cannot be performed because of this line - note scheduled != 0
.
if (scheduled != 0 && !isCancellation) {
if on the other hand isCancellation is true we enter this code
delete scheduledRecoveries[hash];
nonce = currentNonce + 1;
emit LogRecoveryCancelled(hash, recoveryInfoHash, recoveryKey, block.timestamp);
You are right, this one is invalid, I missed the first check, sorry
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/AmbireTech/ambire-common/blob/455a8057e1e6edae48903fc9d116591b22fbf1c2/contracts/AmbireAccount.sol#L171-L175
Vulnerability details
Description
If after scheduling a recovery no transaction is executed, anyone can DOS the execution of this scheduled recovery by a signature replay attack given that the nonce is not increased
Impact
DOS of scheduled recovery execution if after a recovery is scheduled no other transaction is executed
POC
Consider next commented code
Now we can imagine next possible scenario:
nonce = 10
andcurrent_time = 10_000
, Alice schedule a recovery which can be executed atcurrent_time = 13_000
(3000 secs more than the time when the transaction was sent). The nonce hold on 10current_time = 13_000
current_time = 16_000
.require(block.timestamp > scheduled, 'RECOVERY_NOT_READY');
Mitigation steps
It is important to notice that this recommendation also solves M-03
Assessed type
DoS