Closed c4-bot-7 closed 5 months ago
This analyzes openzeppelin’s v5.0.0 ECDSA contract for solidity versions ^0.8.20. However AI Arena contracts are compiled with solidity version 0.8.13. From what I understand, we should look at ECSDA contract from the v4.7 release https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v4.7/contracts/utils/cryptography/ECDSA.sol, which includes the toEthSignedMessageHash
function.
jhsagd76 marked the issue as unsatisfactory: Invalid
This analyzes openzeppelin’s v5.0.0 ECDSA contract for solidity versions ^0.8.20. However AI Arena contracts are compiled with solidity version 0.8.13. From what I understand, we should look at ECSDA contract from the v4.7 release https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v4.7/contracts/utils/cryptography/ECDSA.sol, which includes the
toEthSignedMessageHash
function.
@fnanni @jhsagd76 How does this actually work? Where is the lock to version v4.7?
import "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
will import the latest version which requires 0.8.20. Verification.sol does not restrict the compiler version.
@fnanni @jhsagd76 How does this actually work? Where is the lock to version v4.7?
import "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
will import the latest version which requires 0.8.20. Verification.sol does not restrict the compiler version.
I don't think it's possible to compile one part of a contract with one compiler version and another part with another version. Verification.sol gets compiled with solidity version 0.8.13 as all AI Arena contracts (see the foundry.toml file). Therefore, it shouldn't be possible to inherit contracts with pragma solidity ^0.8.20
.
Openzeppelin contracts at commit @ ecd2ca2 are used.
Well, apparently ECDSA.sol v4.7 was already installed. But if it were to be reinstalled, by default it would install the latest version and then Verification.sol wouldn't compile if compiler version 0.8.13 is used. Not sure what best practice is, but it seems pragma solidity >=0.8.0 <0.9.0;
should be changed.
Lines of code
https://github.com/ArenaX-Labs/2024-02-ai-arena-mitigation/blob/d81beee0df9c5465fe3ae954ce41300a9dd60b7f/src/Verification.sol#L20
Vulnerability details
Impact
Verification.verify()
reverts. This breaksAAMintPass.claimMintPass()
,FighterFarm.claimFighters()
andFighterFarm.redeemMintPass()
.Proof of Concept
Verification.sol#L20:
will revert because
toEthSignedMessageHash()
is located in MessageHashUtils.sol.This breaks
AAMintPass.claimMintPass()
,FighterFarm.claimFighters()
andFighterFarm.redeemMintPass()
, which callVerification.verify()
.Recommended Mitigation Steps
Assessed type
Library