Description:Description
The _setWitnessPublicKeys function in the TEERollup contract is vulnerable to replay attacks. Specifically, the function allows updating the witness public keys without any replay protection. This means that an attacker could potentially reuse old transactions to manipulate the witness set, which could compromise the security and integrity of the contract.
Attachments
Proof of Concept (PoC) File
// Proof of Concept: Replay Attack
// Assume these witness public keys have been previously activated
TEERollup.WitnessActivation[] memory witnesses = new TEERollup.WitnessActivation;
witnesses[0] = TEERollup.WitnessActivation({publicKey: "0x123", isActive: true});
witnesses[1] = TEERollup.WitnessActivation({publicKey: "0x456", isActive: true});
// Initial setting of witness public keys
teerollup._setWitnessPublicKeys(witnesses);
// Replaying the same transaction to simulate a replay attack
teerollup._setWitnessPublicKeys(witnesses);
**Recommendation to fix**
Implement nonce or timestamp checks to ensure that old transactions cannot be replayed. By incorporating a timestamp or nonce, the contract can reject outdated or previously executed transactions, thereby mitigating the risk of replay attacks.
Github username: -- Twitter username: GitTopStar Submission hash (on-chain): 0xe641fe61007e4b4bbbaa3d7d37fadd1cebd4493b36199e136649c891bb882653 Severity: medium
Description: Description The
_setWitnessPublicKeys
function in theTEERollup
contract is vulnerable to replay attacks. Specifically, the function allows updating the witness public keys without any replay protection. This means that an attacker could potentially reuse old transactions to manipulate the witness set, which could compromise the security and integrity of the contract.Attachments
// Assume these witness public keys have been previously activated TEERollup.WitnessActivation[] memory witnesses = new TEERollup.WitnessActivation; witnesses[0] = TEERollup.WitnessActivation({publicKey: "0x123", isActive: true}); witnesses[1] = TEERollup.WitnessActivation({publicKey: "0x456", isActive: true});
// Initial setting of witness public keys teerollup._setWitnessPublicKeys(witnesses);
// Replaying the same transaction to simulate a replay attack teerollup._setWitnessPublicKeys(witnesses);