Closed c4-bot-3 closed 8 months ago
https://github.com/code-423n4/2024-01-decent/blob/011f62059f3a0b1f3577c8ccd1140f0cf3e7bb29/src/UTBFeeCollector.sol#L44-L62
If Decent increase there fees, user could still replay old signatures and pay the old fee instead.
There is no nonce, deadline or variable in the digest that limits old signatures from being replayed:
function collectFees( FeeStructure calldata fees, bytes memory packedInfo, bytes memory signature ) public payable onlyUtb { bytes32 constructedHash = keccak256( abi.encodePacked(BANNER, keccak256(packedInfo)) ); (bytes32 r, bytes32 s, uint8 v) = splitSignature(signature); address recovered = ecrecover(constructedHash, v, r, s); require(recovered == signer, "Wrong signature"); if (fees.feeToken != address(0)) { IERC20(fees.feeToken).transferFrom( utb, address(this), fees.feeAmount ); } }
If Decent increases their fee, users can use old signatures to use the bridge with a cheaper fee.
This can go on until Decent realizes that this is possible and they change the signer at which point all previous signatures are invalid.
signer
vscode
Add a feeNonce that is updates when fees are changed such that all previous signatures are invalidated.
Invalid Validation
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #16
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-decent/blob/011f62059f3a0b1f3577c8ccd1140f0cf3e7bb29/src/UTBFeeCollector.sol#L44-L62
Vulnerability details
Impact
If Decent increase there fees, user could still replay old signatures and pay the old fee instead.
Proof of Concept
There is no nonce, deadline or variable in the digest that limits old signatures from being replayed:
If Decent increases their fee, users can use old signatures to use the bridge with a cheaper fee.
This can go on until Decent realizes that this is possible and they change the
signer
at which point all previous signatures are invalid.Tools Used
vscode
Recommended Mitigation Steps
Add a feeNonce that is updates when fees are changed such that all previous signatures are invalidated.
Assessed type
Invalid Validation