search

code-423n4 / 2024-01-decent-findings

3 stars 3 forks source link

cross reply is possible because there is no chain id in signed data #735

Closed c4-bot-7 closed 8 months ago

c4-bot-7 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTBFeeCollector.sol#L44-L63

Vulnerability details

Impact

cross reply is possible because there is no chain id in signed data in the contract UTBFeeCollector.sol the function collectFees is vulnerable to cross chain sig reply attack because the signed data don't actually include the chainId in signed data which creates this problem. so what it creates is it makes

Proof of Concept

    function collectFees(
        FeeStructure calldata fees,
        bytes memory packedInfo,
        bytes memory signature
    ) public payable onlyUtb {
        bytes32 constructedHash = keccak256(
            abi.encodePacked(BANNER, keccak256(packedInfo))
        );
        (bytes32 r, bytes32 s, uint8 v) = splitSignature(signature);
        address recovered = ecrecover(constructedHash, v, r, s);
        require(recovered == signer, "Wrong signature");
        if (fees.feeToken != address(0)) {
            IERC20(fees.feeToken).transferFrom(
                utb,
                address(this),
                fees.feeAmount
            );
        }
    }

Tools Used

vscode

Recommended Mitigation Steps

Assessed type

Other

c4-pre-sort commented 8 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 8 months ago

raymondfam marked the issue as duplicate of #16

c4-judge commented 8 months ago

alex-ppg marked the issue as unsatisfactory: Invalid