Open hats-bug-reporter[bot] opened 7 months ago
Thank you for the submission.
The use of an inverted signature in our case does not pose any threat, it will still be the same valid signature for the user and contract. OZ restricts this to prevent any use cases where users could use it
This is also the functionality that is inherited from Thena, OOS
Github username: -- Twitter username: -- Submission hash (on-chain): 0xb4f750054a2214eafb205ca158257937702f0e619fdb0ab929abf775d8d475e2 Severity: low
Description: Context: VotingEscrowUpgradeable.sol#L1332
Description\ Because the function
delegateBySig
uses ecrecover and doesn't check for the value of the signature, other signatures, that have higher numerical values, which map to the same signature, could be used. Because the code uses nonces only one signature could be used per nonce.Recommendation: Consider using ECDSA by Open Zeppelin, or adding the check they use here.