search

code-423n4 / 2023-06-llama-findings

2 stars 1 forks source link

ecrecover function is vulnerable to signature malleability #243

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L297 https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L388 https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L421

Vulnerability details

Impact

Signature malleability potential exists which can be carried out by malicious actor to have two or more signatures that recover signer of same message. ecrecover function can be used to recover address by having signature and signed message hash to which it belongs. EIP2098 can be used to modify a used signature by placing v in top of s making sign one byte shorter or flipping s and v for unpacking and carry out replay attack.

Proof of Concept

https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L297 https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L388 https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L421

Tools Used

Manual Review

Recommended Mitigation Steps

Using nonce in message payload will generate new nonce for every signature generated every time the function is called. A nonce can prevent an old value from being used when a new value exists.

Assessed type

Other

0xSorryNotSorry commented 1 year ago

OOS --> [L‑02] Missing checks for ecrecover() signature malleability

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as low quality report

c4-judge commented 1 year ago

gzeon-c4 marked the issue as unsatisfactory: Out of scope