0xR3vert
commented
1 year ago Hello, Thanks a lot for your attention. This contract is out of scope. In conclusion we have so to consider this issue as invalid.
Open hats-bug-reporter[bot] opened 1 year ago
0xR3vert
commented
1 year ago Hello, Thanks a lot for your attention. This contract is out of scope. In conclusion we have so to consider this issue as invalid.
Github username: @Madalad Submission hash (on-chain): 0xf49898de8ab683b82d737af31430a11d18fdd7c42cd9fc246d4b2c56db23ac95 Severity: low
Description: Description\ To ensure that the caller is an EOA,
msg.sender == tx.originis used. However, EIP3074 would mean that this does not provide such a guarantee.This EIP introduces two EVM instructions AUTH and AUTHCALL. The first sets a context variable authorized based on an ECDSA signature. The second sends a call as the authorized account. This essentially delegates control of the externally owned account (EOA) to a smart contract.
Therefore, using
tx.originto ensuremsg.senderis an EOA will not hold true in the event EIP 3074 goes through.Relevant code: https://github.com/Cvg-Finance/hats-audit/blob/main/contracts/PresaleVesting/SeedPresaleCvg.sol#L94
Attack Scenario\ Given EIP-3074, users would be able to call functions with the
onlyEOAmodifier using a smart contract.Recommendation\ In it's current state the
onlyEOAmodifier may not fully protect against smart contracts calling the function, and it also unfairly excludes users who are using smart wallets such as Gnosis Safe. Rethink the need for the functioninvestMintto only be callable by EOAs and update the codebase accordingly.