Closed c4-bot-1 closed 8 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #6
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as primary issue
QA low.
No matter which of the 2 signatures is used, only 1 can ever be used due to nonces[from]++
.
MarioPoneder marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/CultureIndex.sol#L419-L444
Vulnerability details
Impact
The elliptic curve used in Ethereum for signatures is symmetrical, hence for every [v,r,s] there exists another [v,r,s] that returns the same valid result. Therefore two valid signatures exist which allows attackers to compute a valid signature without knowing the signer's private key.
ecrecover()
is vulnerable to signature malleability 1 2 so it can be dangerous to use it directly.An attacker can compute another corresponding [v,r,s] that will make this check pass due to the symmetrical nature of the elliptic curve.
Proof of Concept
Tools Used
manual review
Recommended Mitigation Steps
The easiest way to prevent this issue is to use OpenZeppelin’s ECDSA.sol library and reading the comments above ECDSA's tryRecover() function provides very useful information on correctly implementing signature checks to prevent signature malleability vulnerabilities. More examples: 1 2
When using OpenZeppelin's ECDSA library, special care must be taken to use version 4.7.3 or greater, since previous versions contained a signature malleability bug.
Assessed type
Other