search

code-423n4 / 2024-01-decent-findings

3 stars 3 forks source link

Signature can be re-used to pay less fees if fees are changed #727

Closed c4-bot-3 closed 8 months ago

c4-bot-3 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-01-decent/blob/011f62059f3a0b1f3577c8ccd1140f0cf3e7bb29/src/UTBFeeCollector.sol#L44-L62

Vulnerability details

Impact

If Decent increase there fees, user could still replay old signatures and pay the old fee instead.

Proof of Concept

There is no nonce, deadline or variable in the digest that limits old signatures from being replayed:

function collectFees(
        FeeStructure calldata fees,
        bytes memory packedInfo,
        bytes memory signature
    ) public payable onlyUtb {
        bytes32 constructedHash = keccak256(
            abi.encodePacked(BANNER, keccak256(packedInfo))
        );
        (bytes32 r, bytes32 s, uint8 v) = splitSignature(signature);
        address recovered = ecrecover(constructedHash, v, r, s);
        require(recovered == signer, "Wrong signature");
        if (fees.feeToken != address(0)) {
            IERC20(fees.feeToken).transferFrom(
                utb,
                address(this),
                fees.feeAmount
            );
        }
    }

If Decent increases their fee, users can use old signatures to use the bridge with a cheaper fee.

This can go on until Decent realizes that this is possible and they change the signer at which point all previous signatures are invalid.

Tools Used

vscode

Recommended Mitigation Steps

Add a feeNonce that is updates when fees are changed such that all previous signatures are invalidated.

Assessed type

Invalid Validation

c4-pre-sort commented 8 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 8 months ago

raymondfam marked the issue as duplicate of #16

c4-judge commented 8 months ago

alex-ppg marked the issue as unsatisfactory: Invalid