c4-bot-6 commented 8 months ago

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/CultureIndex.sol#L431

Vulnerability details

Impact

Detailed description of the impact of this finding. voteHash = keccak256(abi.encode(VOTE_TYPEHASH, from, pieceIds, nonces[from]++, deadline)); here we are using nonces[from]++ for calculating voteHash but different from address can have the same nonces[from]++ ,therefore creating the same votehash.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

function _verifyVoteSignature( address from, uint256[] calldata pieceIds, uint256 deadline, uint8 v, bytes32 r, bytes32 s ) internal returns (bool success) { require(deadline >= block.timestamp, "Signature expired");

    bytes32 voteHash;

@> voteHash = keccak256(abi.encode(VOTE_TYPEHASH, from, pieceIds, nonces[from]++, deadline));

    bytes32 digest = _hashTypedDataV4(voteHash);a

    address recoveredAddress = ecrecover(digest, v, r, s);

    // Ensure to address is not 0
    if (from == address(0)) revert ADDRESS_ZERO();

    // Ensure signature is valid
    if (recoveredAddress == address(0) || recoveredAddress != from) revert INVALID_SIGNATURE();

    return true;
}

Tools Used

Manual Analysis

Recommended Mitigation Steps

Assessed type

Invalid Validation

c4-pre-sort commented 8 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 8 months ago

raymondfam marked the issue as duplicate of #711

c4-judge commented 8 months ago

MarioPoneder marked the issue as unsatisfactory: Insufficient quality

code-423n4 / 2023-12-revolutionprotocol-findings

_verifyVoteSignature wrong implementation #718