c4-judge
commented
7 months ago jhsagd76 marked the issue as satisfactory
Open c4-bot-5 opened 7 months ago
c4-judge
commented
7 months ago jhsagd76 marked the issue as satisfactory
Lines of code
Vulnerability details
C4 issue
ADD-02: L-02 FighterFarm::claimFighters : Ecrecover is known to be vulnerable to signature malleability of this QA Report
Comments
Solidity's
ecrecoverfunction, used in the Verification contract, is known to be vulnerable to signature malleability. AI Arena's contracts are not vulnerable to signature malleability, because it's not possible to use the same signed data twice, no matter whether it comes from the original signature or from a different one. The team still decided to change the implementation and use a non-malleable signature recovery method.Mitigation
PR #8 This commit introduces the use of OpenZeppelin's ECDSA helper library, which prevents signature malleability issues.
Suggestion
None
Conclusion
LGTM