Open hats-bug-reporter[bot] opened 1 week ago
This seems to be intended by Palmera. Please note, name and version is optional and upto protocol developers to include it as a part of domainSeparator hash.
where the type of eip712Domain is a struct named EIP712Domain with one or more of the below fields. Protocol designers only need to include the fields that make sense for their signing domain
Update: name and version is not a part of domainSeparator
hash and DOMAIN_SEPARATOR_TYPEHASH
only contains chainID and verifying contract i.e address(this) so this is intended design, if it was opposite then it could be considered a issue.
First of all, thank you for your observation, below is our feedback on the matter.
The method domainSeparator
already exists in the contract, you can validate it in the abstract contract Helpers.sol
on this line: https://github.com/hats-finance/Palmera-0x5fee7541ddcd51ba9f4af606f87b2c42eea655be/blob/1ac35880b5d45154267788e2db548eaaae0beaa0/src/Helpers.sol#L44
Additional like mention @0xRizwan It is not our intention to include the name and version in the domain separator.
Github username: -- Twitter username: SBSecurity_ Submission hash (on-chain): 0xc5777f38ed6f17f0a268b41afcc5a3c2074c9c8f6a8c02e9cbecdf4ef53da006 Severity: medium
Description: Description\ DomainSeparator is missing name and version
Attack Scenario\ As per EIP-712 DomainSeparator should have name, version, chainId and verifyingContract, but the Palmera implemenattion is missing
name
andversion
It should add name and version like in OZ implementation - https://github.com/OpenZeppelin/openzeppelin-contracts/blob/c3f8b760ad9d0431f33e8303658ccbdcc1610f24/contracts/utils/cryptography/EIP712.sol#L88-L90
Attachments
function domainSeparator() public view returns (bytes32) { return keccak256( abi.encode(Constants.DOMAIN_SEPARATOR_TYPEHASH, getChainId(), this) ); }