Open hats-bug-reporter[bot] opened 8 months ago
Dublicate.
Comment:
src/apps/mock/IncentivizedMockEscrow.sol
What is the impact?
src/apps/wormhole/external/callworm/WormholeVerifier.sol
Based on Wormhole. What is the impact?
src/apps/wormhole/external/wormhole/Messages.sol
Not in scope.
Github username: @erictee2802 Twitter username: 0xEricTee Submission hash (on-chain): 0x850575d52b2daf230d814372a6c6e803f0d6687670b0592324c3c403151bcef8 Severity: low
Description: Description\
The ecrecover function is used to verify signatures. The built-in EVM precompile ecrecover is susceptible to signature malleability (because of non-unique s and v values) which could lead to replay attacks (references: https://swcregistry.io/docs/SWC-117, https://swcregistry.io/docs/SWC-121 and https://medium.com/cryptronics/signature-replay-vulnerabilities-in-smart-contracts-3b6f7596df57).
Attack Scenario\
Use of
ecrecover
might lead to replay attacks.Attachments
NA
Proof of Concept (PoC) File
NA
Revised Code File (Optional)
Consider using OpenZeppelin’s ECDSA library (which prevents this malleability) instead of the built-in function: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/cryptography/ECDSA.sol