search

code-423n4 / 2024-02-uniswap-foundation-findings

2 stars 3 forks source link

Quantum-Resistant Upgrades Could Imperil Signature Validation #250

Closed c4-bot-10 closed 9 months ago

c4-bot-10 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5298812a129f942555466ebaa6ea9a2af4be0ccc/src/UniStaker.sol#L315-L334

Vulnerability details

Impact

A future Ethereum upgrade to introduce quantum-resistant signatures and hashes could break core assumptions in UniStaker around encoding and validation.

Affected Logic:

The primary risk vector is signature validation encoding, as used here: stakeOnBehalf

function stakeOnBehalf(
    uint256 _amount,
    address _delegatee,
    address _beneficiary,
    address _depositor,
    bytes memory _signature
  ) external returns (DepositIdentifier _depositId) {
    _revertIfSignatureIsNotValidNow(
      _depositor,
      _hashTypedDataV4(
        keccak256(
          abi.encode(
            STAKE_TYPEHASH, _amount, _delegatee, _beneficiary, _depositor, _useNonce(_depositor)
          )
        )
      ),
      _signature
    );
    _depositId = _stake(_depositor, _amount, _delegatee, _beneficiary);
  }

Failure Conditions:

If and when Ethereum upgrades to a post-quantum signature scheme like BLISS or Dilithium, the ecrecover style validation and EIP712 digest domain separation would fail. stakeOnBehalf and all signature flows break.

Likelihood:

Ethereum has indicated intent to upgrade to quantum-resistant cryptography in the next 5-10 years. Thus the breakage risks are high.

Effects:

Breaking signature validation would block depositors from taking permitted actions through the staking contract, preventing value access and harming liquidity.

Proof of Concept

A future Ethereum upgrade to post-quantum signatures would invalidate UniStaker's signature verification, blocking depositors from permitted actions. Unable to access funds, stakers would flee and liquidity would vanish.

  1. Ethereum announces upgrade to BLISS signatures in 18 months
  2. UniStaker continues using SECP256k1 and EIP-712 encoding
  3. Upgrade deploys, old sig scheme is deprecated
  4. stakeOnBehalf and all signature flows now revert
  5. Depositors cannot access funds, draining liquidity

Technical

The signature validation in stakeOnBehalf relies on cryptographic assumptions:

_revertIfSignatureIsNotValidNow(
    _depositor,
    _hashTypedDataV4(
      keccak256(
        abi.encode(
          STAKE_TYPEHASH, _amount, _delegatee, _beneficiary, _depositor, _useNonce(_depositor)
        )
      )
    ),
    _signature
  );

A move to quantum-resistant signatures would break these encoding and validation steps.

Tools Used

VS

Recommended Mitigation Steps

Isolate signature validation into a versioned contract that can be upgraded if crypto primitives change. Add support for multiple schemes.

This would future-proof UniStaker against planned cryptographic upgrades.

Assessed type

en/de-code

MarioPoneder commented 9 months ago

Speculation on future changes

c4-judge commented 9 months ago

MarioPoneder marked the issue as unsatisfactory: Invalid