Closed code423n4 closed 1 year ago
This is a duplicate or subset from #141 - We proceed with the same resolution.
donosonaumczuk marked the issue as disagree with severity
Picodes marked the issue as duplicate of #141
Picodes marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Typehash.sol#L23 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Typehash.sol#L15 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Typehash.sol#L25 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/MetaTxLib.sol#L147-L148 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/MetaTxLib.sol#L245-L246 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/MetaTxLib.sol#L275-L276 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Types.sol#L181-L182 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Types.sol#L210-L211 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/constants/Types.sol#L239-L240
Vulnerability details
Impact
Signed transactions implementing EIP-712 signatures correctly will revert as their on-chain counterpart will be different.
Affected functions:
LensHub::postWithSig()
LensHub::commentWithSig()
LensHub::quoteWithSig()
Proof of Concept
The functions
postWithSig()
,commentWithSig()
, andquoteWithSig()
fromLensHub
all use EIP-712 to validate the owner/executor signature.The contract implements incorrectly the Typehash for the EIP-712 signature, which will not be able to validate correct signatures, thus reverting those transactions.
The error is on the Typehashes assuming
address collectModule
, andbytes collectModuleInitData
, instead of the correspondingaddress[] actionModules
, andbytes[] actionModulesInitDatas
, which have different types.Note the use of
address collectModule
, andbytes collectModuleInitData
on the Typehashes:These are the functions where the corresponding digests are calculated:
These are the corresponding type declarations:
Tools Used
Manual Review
Recommended Mitigation Steps
Fix the Typehashes for
COMMENT
,POST
, andQUOTE
:address collectModule
->address[] actionModules
bytes collectModuleInitData
->bytes[] actionModulesInitDatas
Assessed type
Other