Nonce should be used to prevent signature and MPT proof reuse
Summary
Nonce should be used to prevent signature and MPT proof reuse
Vulnerability Detail
Currently, signature and MPT proof only prevent reuse by using timestamp or block number differences. But that doesn't enough, the signature can be submitted multiple times in the same block too. So, timestamp and block number differences are zero.
Impact
Signatures and MPT proof can be reused causing a severe double spending issue.
Chom
high
Nonce should be used to prevent signature and MPT proof reuse
Summary
Nonce should be used to prevent signature and MPT proof reuse
Vulnerability Detail
Currently, signature and MPT proof only prevent reuse by using timestamp or block number differences. But that doesn't enough, the signature can be submitted multiple times in the same block too. So, timestamp and block number differences are zero.
Impact
Signatures and MPT proof can be reused causing a severe double spending issue.
Code Snippet
https://github.com/sherlock-audit/2022-10-mover/blob/main/cardtopup_contract/contracts/HardenedTopupProxy.sol#L1031-L1048
https://github.com/sherlock-audit/2022-10-mover/blob/main/cardtopup_contract/contracts/HardenedTopupProxy.sol#L1056-L1082
Tool used
Manual Review
Recommendation
Add nonce to signature and MPT proof verification
Duplicate of #42