Open code423n4 opened 1 year ago
We confirm it but we think this should be Low instead.
donosonaumczuk marked the issue as disagree with severity
Picodes marked the issue as satisfactory
Picodes marked the issue as selected for report
Following the same reasoning as in https://github.com/code-423n4/2023-07-lens-findings/issues/141, I'll keep Medium severity here as EIP compliance is of great importance for integrators and compatibility, so I consider this an instance of " function of the protocol [is] impacted", the function being the EIP712 compliance.
Picodes marked the issue as primary issue
Lines of code
https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/MetaTxLib.sol#L143-L153 https://github.com/code-423n4/2023-07-lens/blob/main/contracts/libraries/MetaTxLib.sol#L100-L109
Vulnerability details
Bug Description
According to the EIP-712 specification, arrays are encoded by concatenating its elements and passing the result to
keccak256
:An example of a correct implementation can be seen in
validateUnfollowSignature()
, where theidsOfProfilesToUnfollow
array is passed tokeccak256
after usingabi.encodePacked()
:MetaTxLib.sol#L368
However, some other functions in
MetaTxLib
encode arrays differently, which differs from the EIP-712 specification.Some functions do not encode the array at all, and pass the array to
abi.encode()
alongside other arguments in its struct. For example, invalidatePostSignature()
, thepostParams.actionModules
array is not encoded by itself:MetaTxLib.sol#L143-L153
Other instances of this include:
mirrorParams.referrerProfileIds
andmirrorParams.referrerPubIds
invalidateMirrorSignature()
publicationActionParams.referrerProfileIds
andpublicationActionParams.referrerPubIds
invalidateActSignature()
_abiEncode()
, namelyvalidateCommentSignature()
andvalidateQuoteSignature()
Secondly, the
validateChangeDelegatedExecutorsConfigSignature()
function encodes thedelegatedExecutors
andapprovals
arrays usingabi.encodePacked()
, but do not pass it tokeccak256
:MetaTxLib.sol#L100-L109
Impact
As arrays are encoded incorrectly, the signature verification in the functions listed above is not EIP-712 compliant.
Contracts or dapps/backends that encode arrays according to the rules specified in EIP-712 will end up with different signatures, causing any of the functions listed above to revert when called.
Moreover, the inconsistent encoding of arrays might be extremely confusing to developers who wish to use these functions to implement meta-transactions.
Recommended Mitigation
Consider encoding arrays correctly in the functions listed above, which can be achieved by calling
abi.encodePacked()
on the array and passing its results tokeccak256
.Assessed type
Other