code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-amphora/blob/179384321c36b669f48bc0485bbc1f807fba8fac/core/solidity/contracts/utils/UFragments.sol#L315-L341

Vulnerability details

Impact

the permit function in the Ufragments.sol allows 0 signature results and its dangerous contract should revert on 0 signature.

Proof of Concept

instances: https://github.com/code-423n4/2023-07-amphora/blob/179384321c36b669f48bc0485bbc1f807fba8fac/core/solidity/contracts/utils/UFragments.sol#L315-L341

 function permit(
    address _owner,
    address _spender,
    uint256 _value,
    uint256 _deadline,
    uint8 _v,
    bytes32 _r,
    bytes32 _s
  ) public {
    require(block.timestamp <= _deadline);

    uint256 _ownerNonce = _nonces[_owner];
    bytes32 _permitDataDigest = keccak256(abi.encode(PERMIT_TYPEHASH, _owner, _spender, _value, _ownerNonce, _deadline));
    bytes32 _digest = keccak256(abi.encodePacked('\x19\x01', DOMAIN_SEPARATOR(), _permitDataDigest));

    if (uint256(_s) > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0) {
      revert UFragments_InvalidSignature();
    }
    require(_owner == ecrecover(_digest, _v, _r, _s));
    if (_owner == address(0x0)) revert UFragments_InvalidSignature();

    _nonces[_owner] = _ownerNonce + 1;

    _allowedFragments[_owner][_spender] = _value;
    emit Approval(_owner, _spender, _value);
  }
}

Tools Used

vs code

Recommended Mitigation Steps

consider reverting on 0 signature results

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

minhquanym marked the issue as low quality report

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Invalid

code-423n4 / 2023-07-amphora-findings

permit function allows 0 signature #419